CVE-2024-45496

17.09.2024, 00:15

A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
redhat	CNA	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 40%

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://access.redhat.com/errata/RHSA-2024:3718

https://access.redhat.com/errata/RHSA-2024:6685

https://access.redhat.com/errata/RHSA-2024:6687

https://access.redhat.com/errata/RHSA-2024:6689

https://access.redhat.com/errata/RHSA-2024:6691

https://access.redhat.com/errata/RHSA-2024:6705

https://access.redhat.com/security/cve/CVE-2024-45496

https://bugzilla.redhat.com/show_bug.cgi?id=2308661