Nixpkgs security tracker
6.0 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): Present (P)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): High (H)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): Low (L)
- Subsequent System Impact Integrity (SI): Low (L)
- Subsequent System Impact Availability (SA): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): Present (P)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): High (H)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Low (L)
- Modified Subsequent System Impact Integrity (MSI): Low (L)
- Modified Subsequent System Impact Availability (MSA): Low (L)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
ServiceAccount token disclosure via Azure IPAM CNI plugin logs
When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation — once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges.
References
Affected products
- <3.32.0
- <22.4.0
- <3.22.3
- <3.21.7
Matching in nixpkgs
pkgs.calicoctl
Cloud native networking and network security
pkgs.calico-typha
Cloud native networking and network security
pkgs.confd-calico
Cloud native networking and network security
pkgs.calico-apiserver
Cloud native networking and network security
pkgs.calico-app-policy
Cloud native networking and network security
pkgs.calico-cni-plugin
Cloud native networking and network security
pkgs.calico-pod2daemon
Cloud native networking and network security
-
nixos-unstable pod2daemon-3.31.5
- nixpkgs-unstable pod2daemon-3.31.5
- nixos-unstable-small pod2daemon-3.31.5
-
nixos-25.11 pod2daemon-3.30.4
- nixos-25.11-small pod2daemon-3.30.4
- nixpkgs-25.11-darwin pod2daemon-3.30.4