CVE-2024-7631

Openshift-console: openshift console: path traversal

Description

A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint's lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console's pod by using sequences of ../ and valid directory paths.

Remediation

Workaround:

Red Hat Product Security does not have any recommended mitigations at this time. Please update to a patched version of the component as soon as it is available.

References

Link	Tags
https://access.redhat.com/security/cve/CVE-2024-7631	vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2296053	issue tracking

Frequently Asked Questions

What is the severity of CVE-2024-7631?: CVE-2024-7631 has been scored as a medium severity vulnerability.
How to fix CVE-2024-7631?: As a workaround for remediating CVE-2024-7631: Red Hat Product Security does not have any recommended mitigations at this time. Please update to a patched version of the component as soon as it is available.
Is CVE-2024-7631 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-7631 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-7631?: CVE-2024-7631 affects Red Hat Red Hat OpenShift Container Platform 3.11, Red Hat Red Hat OpenShift Container Platform 4.

Description

Remediation

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions