Incorrect Permission Assignment for Critical Resource
CVE-2024-45497
Summary
A flaw was identified in the OpenShift build process where the docker-build container is configured with a "hostPath" volume mount that maps the node's "/var/lib/kubelet/config.json" file into the build pod. This file contains sensitive credentials for accessing private image repositories. The mount is not read-only, allowing attackers to overwrite it. By modifying the "config.json" file, an attacker could cause a denial of service by preventing the node from pulling new images and potentially exfiltrate sensitive secrets, impacting service availability and exposing confidential information.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- LOW
- LOW
- HIGH
CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Advisory Timeline
- Published