Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.12
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2024-12085 CVE-2024-53104 CVE-2024-52336 CVE-2024-52337 CVE-2024-56326 |
| CWE-ID | CWE-457 CWE-787 CWE-94 CWE-117 CWE-254 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #2 is being exploited in the wild. |
| Vulnerable software |
Red Hat OpenShift Container Platform Client/Desktop applications / Software for system administration |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Use of Uninitialized Variable
EUVDB-ID: #VU102730
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-12085
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to information leak when comparing file checksums. A remote attacker can pass specially crafted data to the daemon and read 1 byte of uninitialized memory from stack.
Install updates from vendor's website.
Red Hat OpenShift Container Platform: before 4.12.73
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2025:1242
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU101102
Risk: High
CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2024-53104
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an out-of-bounds read error within the uvc_parse_format() function in drivers/media/usb/uvc/uvc_driver.c. A local user can trigger an out-of-bounds write and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Install updates from vendor's website.
Red Hat OpenShift Container Platform: before 4.12.73
CPE2.3https://access.redhat.com/errata/RHSA-2025:1242
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
3) Code Injection
EUVDB-ID: #VU101026
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-52336
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation within the instance_create() D-Bus function. A local user can execute arbitrary script with root privileges.
Install updates from vendor's website.
Red Hat OpenShift Container Platform: before 4.12.73
CPE2.3https://access.redhat.com/errata/RHSA-2025:1242
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Output Neutralization for Logs
EUVDB-ID: #VU101024
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-52337
CWE-ID:
CWE-117 - Improper Output Neutralization for Logs
Exploit availability: No
DescriptionThe vulnerability allows a local user to spoof contents of log files.
The vulnerability exists due to improper input validation when handling log API method parameters from the D-Bus interface. A local user can pass specially crafted input into the log file and spoof its content.
Install updates from vendor's website.
Red Hat OpenShift Container Platform: before 4.12.73
CPE2.3https://access.redhat.com/errata/RHSA-2025:1242
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security features bypass
EUVDB-ID: #VU101972
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-56326
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass sandbox restrictions.
The vulnerability exists in the way the Jinja sandboxed environment detects calls to str.format. A local user with the ability to control the contents of a template can bypass sandbox restrictions. MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: before 4.12.73
CPE2.3https://access.redhat.com/errata/RHSA-2025:1242
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
