Lucene search

[email protected]CVE-2024-1725

HistoryMar 07, 2024 - 8:15 p.m.

CVE-2024-1725

2024-03-0720:15:50

CWE-501

[email protected]

web.nvd.nist.gov

116

flaw

kubevirt-csi

openshift virtualization

hcp

authenticated attacker

root access

worker node

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

A flaw was found in the kubevirt-csi component of OpenShift Virtualization’s Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node’s volume by creating a custom Persistent Volume that matches the name of a worker node.

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.13",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/kubevirt-csi-driver-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.13.0-202404200313.p0.g9d909f7.assembly.stream.el8",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.13::el8",
      "cpe:/a:redhat:openshift:4.13::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.14",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/kubevirt-csi-driver-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.14.0-202404161544.p0.g48fafc4.assembly.stream.el8",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.14::el9",
      "cpe:/a:redhat:openshift:4.14::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.15",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "openshift4/kubevirt-csi-driver-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "v4.15.0-202403220332.p0.gd3bdbce.assembly.stream.el8",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift:4.15::el9",
      "cpe:/a:redhat:openshift:4.15::el8"
    ]
  }
]

References

access.redhat.com/errata/RHSA-2024:1559

access.redhat.com/errata/RHSA-2024:1891

access.redhat.com/errata/RHSA-2024:2047

access.redhat.com/security/cve/CVE-2024-1725

bugzilla.redhat.com/show_bug.cgi?id=2265398

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for CVE-2024-1725

prion1 redhatcve1 cvelist1 nvd1 redhat3