SB2024091955 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.12

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024091955

SB2024091955 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.12

Published: September 19, 2024 Updated: August 29, 2025

Security Bulletin ID SB2024091955
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2024-7387)

The vulnerability allows a remote user to escalate privileges within the container.

The vulnerability exists due to input validation error when processing directory traversal sequences in openshift/builder. A remote user can send a specially crafted HTTP request and escalate their permissions on the node running the container.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-45496)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to improperly imposed security restrictions during the build initialization step. A remote user can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node.


3) Resource management error (CVE-ID: CVE-2024-1737)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a very large number of RRs. Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name.


4) Resource exhaustion (CVE-ID: CVE-2024-1975)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests.


5) Arbitrary file upload (CVE-ID: CVE-2024-32002)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload a malicious file and execute it on the server.


6) Code Injection (CVE-ID: CVE-2024-32004)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a process control issue while cloning special-crafted local repositories. A remote attacker can execute arbitrary code on the target system.


Remediation

Install update from vendor's website.

References