From e42c28f4b6e9f25172d54743636a7c0c55ea0ff0 Mon Sep 17 00:00:00 2001 From: cvelistV5 Github Action Date: Tue, 31 Dec 2024 02:32:50 +0000 Subject: [PATCH] 1 changes (1 new | 0 updated): - 1 new CVEs: CVE-2024-45497 - 0 updated CVEs: --- cves/2024/45xxx/CVE-2024-45497.json | 144 ++++++++++++++++++++++++++++ cves/delta.json | 10 +- cves/deltaLog.json | 14 +++ 3 files changed, 163 insertions(+), 5 deletions(-) create mode 100644 cves/2024/45xxx/CVE-2024-45497.json diff --git a/cves/2024/45xxx/CVE-2024-45497.json b/cves/2024/45xxx/CVE-2024-45497.json new file mode 100644 index 00000000000..72c2ed40816 --- /dev/null +++ b/cves/2024/45xxx/CVE-2024-45497.json @@ -0,0 +1,144 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2024-45497", + "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "state": "PUBLISHED", + "assignerShortName": "redhat", + "dateReserved": "2024-08-30T10:12:13.684Z", + "datePublished": "2024-12-31T02:19:22.553Z", + "dateUpdated": "2024-12-31T02:19:22.553Z" + }, + "containers": { + "cna": { + "title": "Openshift-api: build process in openshift allows overwriting of node pull credentials", + "metrics": [ + { + "other": { + "content": { + "value": "Moderate", + "namespace": "https://access.redhat.com/security/updates/classification/" + }, + "type": "Red Hat severity rating" + } + }, + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", + "version": "3.1" + }, + "format": "CVSS" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties." + } + ], + "affected": [ + { + "vendor": "Red Hat", + "product": "Red Hat Fuse 7", + "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", + "packageName": "org.arquillian.cube/arquillian-cube-openshift-api", + "defaultStatus": "unknown", + "cpes": [ + "cpe:/a:redhat:jboss_fuse:7" + ] + }, + { + "vendor": "Red Hat", + "product": "Red Hat OpenShift Container Platform 4", + "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", + "packageName": "openshift4/ose-cluster-openshift-apiserver-operator", + "defaultStatus": "unknown", + "cpes": [ + "cpe:/a:redhat:openshift:4" + ] + }, + { + "vendor": "Red Hat", + "product": "Red Hat OpenShift Container Platform 4", + "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", + "packageName": "openshift4/ose-openshift-apiserver-rhel7", + "defaultStatus": "unknown", + "cpes": [ + "cpe:/a:redhat:openshift:4" + ] + } + ], + "references": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2024-45497", + "tags": [ + "vdb-entry", + "x_refsource_REDHAT" + ] + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308673", + "name": "RHBZ#2308673", + "tags": [ + "issue-tracking", + "x_refsource_REDHAT" + ] + } + ], + "datePublic": "2024-12-15T00:00:00+00:00", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-732", + "description": "Incorrect Permission Assignment for Critical Resource", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "x_redhatCweChain": "CWE-732: Incorrect Permission Assignment for Critical Resource", + "workarounds": [ + { + "lang": "en", + "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." + } + ], + "timeline": [ + { + "lang": "en", + "time": "2024-08-29T00:00:00+00:00", + "value": "Reported to Red Hat." + }, + { + "lang": "en", + "time": "2024-12-15T00:00:00+00:00", + "value": "Made public." + } + ], + "credits": [ + { + "lang": "en", + "value": "This issue was discovered by Thibault Guittet (Red Hat)." + } + ], + "providerMetadata": { + "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "shortName": "redhat", + "dateUpdated": "2024-12-31T02:19:22.553Z" + } + } + } +} \ No newline at end of file diff --git a/cves/delta.json b/cves/delta.json index 55f429990bd..27239919d9f 100644 --- a/cves/delta.json +++ b/cves/delta.json @@ -1,12 +1,12 @@ { - "fetchTime": "2024-12-31T02:06:46.757Z", + "fetchTime": "2024-12-31T02:32:35.038Z", "numberOfChanges": 1, "new": [ { - "cveId": "CVE-2024-13040", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-13040", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/13xxx/CVE-2024-13040.json", - "dateUpdated": "2024-12-31T01:35:20.576Z" + "cveId": "CVE-2024-45497", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-45497", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/45xxx/CVE-2024-45497.json", + "dateUpdated": "2024-12-31T02:19:22.553Z" } ], "updated": [], diff --git a/cves/deltaLog.json b/cves/deltaLog.json index eb1b9f149b5..24741a8cc7e 100644 --- a/cves/deltaLog.json +++ b/cves/deltaLog.json @@ -1,4 +1,18 @@ [ + { + "fetchTime": "2024-12-31T02:32:35.038Z", + "numberOfChanges": 1, + "new": [ + { + "cveId": "CVE-2024-45497", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-45497", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/45xxx/CVE-2024-45497.json", + "dateUpdated": "2024-12-31T02:19:22.553Z" + } + ], + "updated": [], + "error": [] + }, { "fetchTime": "2024-12-31T02:06:46.757Z", "numberOfChanges": 1,