Red Hat OpenShift AI odh-dashboard Kubernetes Service Account Token Disclosure Vulnerability

A vulnerability exists in the odh-dashboard component of Red Hat OpenShift AI, specifically in versions 2.16.4 and 3.3. This flaw allows the unauthorized disclosure of Kubernetes Service Account tokens through a NodeJS endpoint, potentially granting attackers access to sensitive Kubernetes resources. The vulnerability requires authenticated access to the dashboard and the existence of a specific NIM account resource on the cluster.

Impact

Exploitation of this vulnerability could lead to unauthorized access to Kubernetes resources by allowing attackers to obtain sensitive Service Account tokens.

Remediation

Users can upgrade to Red Hat OpenShift AI version 2.16.4 or 3.3, depending on their current version. For those unable to upgrade immediately, the NIM integration can be disabled or removed as a temporary mitigation.