Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-7387

Date: September 16, 2024

A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the “Docker” strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container.

Language: Go

Severity Score

Related Resources (14)

https://nvd.nist.gov/vuln/detail/CVE-2024-7387
https://github.com/openshift/builder/commit/0b62633adfa2836465202bc851885e078ec888d1
https://access.redhat.com/errata/RHSA-2024:6691
https://access.redhat.com/errata/RHSA-2024:6687
https://access.redhat.com/errata/RHSA-2024:6685
https://github.com/openshift/builder
https://pkg.go.dev/vuln/GO-2024-3129
https://bugzilla.redhat.com/show_bug.cgi?id=2302259
https://access.redhat.com/security/cve/CVE-2024-7387
https://github.com/advisories/GHSA-qqv8-ph7f-h3f7
https://stuxxn.github.io/advisory/2024/10/02/openshift-build-docker-priv-esc.html
https://access.redhat.com/errata/RHSA-2024:6689
https://access.redhat.com/errata/RHSA-2024:6705
https://www.mend.io/vulnerability-database/CVE-2024-7387

Severity Score

Weakness Type (CWE)

Execution with Unnecessary Privileges

CWE-250

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us