CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-45497: Openshift-api: build process in openshift allows overwriting of node pull credentials

Description

A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.

Classification

CVE ID: CVE-2024-45497

Affected Products

Vendor: Red Hat

Product: Red Hat Fuse 7

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 15.62% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://access.redhat.com/security/cve/CVE-2024-45497
https://bugzilla.redhat.com/show_bug.cgi?id=2308673

Timeline

2025-01-01 00:30:26 UTC
CVE

Openshift-api: build process in openshift allows overwriting of node pull credentials