Privilege Escalation Vulnerability in OpenShift Dedicated by Red Hat
CVE-2024-25131

8.8HIGH

Key Information:

Vendor: Red Hat
Vendor: CVE Published:; 19 December 2024

What is CVE-2024-25131?

A vulnerability exists in the MustGather.managed.openshift.io Custom Defined Resource (CRD) within OpenShift Dedicated. This flaw allows non-privileged users to create a MustGather object containing a specially crafted file. By doing so, these users can configure the most privileged service account to execute the job. This misconfiguration can lead to an escalation of privileges, effectively granting standard developer users the ability to act as cluster administrators and potentially pivot to the underlying AWS environment. Organizations utilizing OpenShift Dedicated must address this vulnerability to safeguard against unauthorized access and maintain a secure cloud infrastructure.

References

https://access.redhat.com/security/cve/CVE-2024-25131

https://bugzilla.redhat.com/show_bug.cgi?id=2258856

https://github.com/openshift/must-gather-operator/pull/135

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2024