Skip to main content

Incorrect Permission Assignment for Critical Resource

CVE-2024-45497

Severity High
Score 7.6/10

Summary

A flaw was identified in the OpenShift build process where the docker-build container is configured with a "hostPath" volume mount that maps the node's "/var/lib/kubelet/config.json" file into the build pod. This file contains sensitive credentials for accessing private image repositories. The mount is not read-only, allowing attackers to overwrite it. By modifying the "config.json" file, an attacker could cause a denial of service by preventing the node from pulling new images and potentially exfiltrate sensitive secrets, impacting service availability and exposing confidential information.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • LOW
  • LOW
  • HIGH

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Advisory Timeline

  • Published