SB2024042548 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024042548

SB2024042548 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14

Published: April 25, 2024

Security Bulletin ID SB2024042548
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2023-49569)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can overwrite arbitrary files on the system. Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone).


2) Resource exhaustion (CVE-ID: CVE-2023-49568)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling responses from a Git server. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Trust Boundary Violation (CVE-ID: CVE-2024-1725)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to an error in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). A remote user can gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node.


4) Cross-site scripting (CVE-ID: CVE-2023-3978)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


5) Resource exhaustion (CVE-ID: CVE-2023-47108)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to grpc Unary Server Interceptor does not properly control consumption of internal resources when processing multiple requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References