CVE-2024-45497

EPSS 0.44%
Veröffentlicht 31.12.2024 03:15:05
Zuletzt bearbeitet 17.07.2025 08:15:27
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/openshift

≫

Paket openshift

Default Statusunknown

Version 4.16

Status affected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift Container Platform 4.12

Default Statusaffected

Version < *

Version v4.12.0-202506062300.p0.gb870fc6.assembly.stream.el8

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift Container Platform 4.13

Default Statusaffected

Version < *

Version v4.13.0-202507061330.p0.g9abb220.assembly.stream.el8

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift Container Platform 4.14

Default Statusaffected

Version < *

Version v4.14.0-202506112307.p0.g700dc11.assembly.stream.el8

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift Container Platform 4.16

Default Statusaffected

Version < *

Version v4.16.0-202506062300.p0.gd26f300.assembly.stream.el9

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift Container Platform 4.17

Default Statusaffected

Version < *

Version v4.17.0-202507011904.p0.g2b2ba3b.assembly.stream.el9

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift Container Platform 4.18

Default Statusaffected

Version < *

Version v4.18.0-202506062012.p0.g0a6f6eb.assembly.stream.el9

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Fuse 7

Default Statusunknown

HerstellerRed Hat

≫

Produkt Red Hat OpenShift Container Platform 4

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift Container Platform 4

Default Statusaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.44%	0.625

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	7.6	2.8	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://access.redhat.com/security/cve/CVE-2024-45497

https://bugzilla.redhat.com/show_bug.cgi?id=2308673

https://access.redhat.com/errata/RHSA-2025:9269

https://access.redhat.com/errata/RHSA-2025:9765

https://access.redhat.com/errata/RHSA-2025:9759

https://access.redhat.com/errata/RHSA-2025:10294

https://access.redhat.com/errata/RHSA-2025:10270

https://access.redhat.com/errata/RHSA-2025:10747

https://nvd.nist.gov/vuln/detail/CVE-2024-45497

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45497

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45497

EUVD