SB2025022530 - Multiple vulnerabilities in OpenShift Data Foundation (formerly OpenShift Container Storage)

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-6104)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data obtain from HTTP requests.

2) Prototype pollution (CVE-ID: CVE-2024-21528)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation within the addTranslations() function in gettext.js. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

3) Input validation error (CVE-ID: CVE-2023-44270)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of external CSS files when parsing the "\r" character. A remote attacker can pass specially crafted input to the application and perform spoofing attack.

4) Improper authorization (CVE-ID: CVE-2024-45337)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.

5) Resource exhaustion (CVE-ID: CVE-2024-45338)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in several Parse functions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

6) Out-of-bounds write (CVE-ID: CVE-2019-12900)

7) Cross-site scripting (CVE-ID: CVE-2020-11023)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when passing <option> elements to jQuery’s DOM manipulation methods. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

8) Use-after-free (CVE-ID: CVE-2022-49043)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the xmlXIncludeAddNode() function in xinclude.c. A remote attacker can pass specially crafted XML input to the application, trigger a use-after-free error and crash the application or potentially execute arbitrary code.

9) Improper authentication (CVE-ID: CVE-2024-12797)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error when using RFC7250 Raw Public Keys (RPKs) to authenticate a server. TLS and DTLS connections using raw public keys are vulnerable to man-in-middle attacks when server authentication failure is not detected by clients.

Note, the vulnerability can be exploited only when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2025:1829