Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17

Published: 2025-01-28

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-45337 CVE-2024-45338
CWE-ID	CWE-285 CWE-400
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Red Hat OpenShift Container Platform Client/Desktop applications / Software for system administration
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper authorization

EUVDB-ID: #VU101777

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2024-45337

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Container Platform: before 4.17.14

CPE2.3

cpe:2.3:a:red_hat:red_hat_openshift_container_platform:*:*:*:*:*:*:*:*

External links

http://access.redhat.com/errata/RHSA-2025:0653

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Resource exhaustion

EUVDB-ID: #VU101868

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-45338

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No