Logging Subsystem For Red Hat Openshift
Monthly
Privilege escalation via ServiceAccount token exfiltration affects the OpenShift Cluster Logging Operator, allowing a user with delegated editor-level access to the ClusterLogForwarder resource to harvest SA tokens they were never authorized to use. The operator creates ServiceAccount tokens and forwards them to configured log output destinations without verifying whether the ClusterLogForwarder creator holds permission to consume those credentials. An attacker who has obtained an editor role within the logging namespace can weaponize this design gap to exfiltrate high-privilege SA tokens and escalate to broader cluster access. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Privilege escalation via ServiceAccount token exfiltration affects the OpenShift Cluster Logging Operator, allowing a user with delegated editor-level access to the ClusterLogForwarder resource to harvest SA tokens they were never authorized to use. The operator creates ServiceAccount tokens and forwards them to configured log output destinations without verifying whether the ClusterLogForwarder creator holds permission to consume those credentials. An attacker who has obtained an editor role within the logging namespace can weaponize this design gap to exfiltrate high-privilege SA tokens and escalate to broader cluster access. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.