Multiple vulnerabilities in Red Hat OpenShift Dev Spaces 3.18

Published: 2025-02-03

Risk	Medium
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2024-21538 CVE-2023-44270 CVE-2024-45337 CVE-2024-45338 CVE-2024-45801 CVE-2024-55565
CWE-ID	CWE-185 CWE-20 CWE-285 CWE-400 CWE-1321 CWE-835
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #3 is available.
Vulnerable software	Red Hat OpenShift Dev Spaces Server applications / Other server solutions
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Incorrect Regular Expression

EUVDB-ID: #VU100921

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21538

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Dev Spaces: before 3.18.0

CPE2.3

cpe:2.3:a:red_hat:red_hat_openshift_dev_spaces:*:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2025:0892

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU81307

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-44270

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of external CSS files when parsing the "\r" character. A remote attacker can pass specially crafted input to the application and perform spoofing attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Dev Spaces: before 3.18.0

CPE2.3

cpe:2.3:a:red_hat:red_hat_openshift_dev_spaces:*:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2025:0892

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper authorization

EUVDB-ID: #VU101777

Risk: Medium

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-45337

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Dev Spaces: before 3.18.0

CPE2.3

cpe:2.3:a:red_hat:red_hat_openshift_dev_spaces:*:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2025:0892

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Resource exhaustion

EUVDB-ID: #VU101868

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-45338

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in several Parse functions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Dev Spaces: before 3.18.0

CPE2.3

cpe:2.3:a:red_hat:red_hat_openshift_dev_spaces:*:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2025:0892

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Prototype pollution

EUVDB-ID: #VU97758

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-45801

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in XSS attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Dev Spaces: before 3.18.0

CPE2.3