CVE-2024-45497

EPSS 0.44%
Published 31.12.2024 03:15:05
Last modified 17.07.2025 08:15:27
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.

Affected products Warnungen 0 Metrics 2 CWE 1 References 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/openshift

≫

Package openshift

Default Statusunknown

Version 4.16

Status affected

VendorRed Hat

≫

Product Red Hat OpenShift Container Platform 4.12

Default Statusaffected

Version < *

Version v4.12.0-202506062300.p0.gb870fc6.assembly.stream.el8

Status unaffected

VendorRed Hat

≫

Product Red Hat OpenShift Container Platform 4.13

Default Statusaffected

Version < *

Version v4.13.0-202507061330.p0.g9abb220.assembly.stream.el8

Status unaffected

VendorRed Hat

≫

Product Red Hat OpenShift Container Platform 4.14

Default Statusaffected

Version < *

Version v4.14.0-202506112307.p0.g700dc11.assembly.stream.el8

Status unaffected

VendorRed Hat

≫

Product Red Hat OpenShift Container Platform 4.16

Default Statusaffected

Version < *

Version v4.16.0-202506062300.p0.gd26f300.assembly.stream.el9

Status unaffected

VendorRed Hat

≫

Product Red Hat OpenShift Container Platform 4.17

Default Statusaffected

Version < *

Version v4.17.0-202507011904.p0.g2b2ba3b.assembly.stream.el9

Status unaffected

VendorRed Hat

≫

Product Red Hat OpenShift Container Platform 4.18

Default Statusaffected

Version < *

Version v4.18.0-202506062012.p0.g0a6f6eb.assembly.stream.el9

Status unaffected

VendorRed Hat

≫

Product Red Hat Fuse 7

Default Statusunknown

VendorRed Hat

≫

Product Red Hat OpenShift Container Platform 4

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat OpenShift Container Platform 4

Default Statusaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.44%	0.625

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	7.6	2.8	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://access.redhat.com/security/cve/CVE-2024-45497

https://bugzilla.redhat.com/show_bug.cgi?id=2308673

https://access.redhat.com/errata/RHSA-2025:9269

https://access.redhat.com/errata/RHSA-2025:9765

https://access.redhat.com/errata/RHSA-2025:9759

https://access.redhat.com/errata/RHSA-2025:10294

https://access.redhat.com/errata/RHSA-2025:10270

https://access.redhat.com/errata/RHSA-2025:10747

https://nvd.nist.gov/vuln/detail/CVE-2024-45497

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45497

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45497

EUVD