{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7387", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-08-01T15:14:15.077Z", "datePublished": "2024-09-16T23:58:35.176Z", "dateUpdated": "2024-11-24T19:21:43.241Z"}, "containers": {"cna": {"title": "Openshift/builder: path traversal allows command injection in privileged buildcontainer using docker build strategy", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the \u201cDocker\u201d strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.12", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-docker-builder", "defaultStatus": "affected", "versions": [{"version": "v4.12.0-202409121032.p1.g609473f.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.12::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-docker-builder", "defaultStatus": "affected", "versions": [{"version": "v4.13.0-202409120505.p1.g2c7e99d.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.13::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-docker-builder", "defaultStatus": "affected", "versions": [{"version": "v4.14.0-202409111409.p1.g52565ca.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.14::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-docker-builder", "defaultStatus": "affected", "versions": [{"version": "v4.15.0-202409101936.p1.ge7749a3.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.15::el8", "cpe:/a:redhat:openshift:4.15::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.16", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-docker-builder-rhel9", "defaultStatus": "affected", "versions": [{"version": "v4.16.0-202409101737.p1.gfee4b58.assembly.stream.el9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.16::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6685", "name": "RHSA-2024:6685", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6687", "name": "RHSA-2024:6687", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6689", "name": "RHSA-2024:6689", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6691", "name": "RHSA-2024:6691", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6705", "name": "RHSA-2024:6705", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7387", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302259", "name": "RHBZ#2302259", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://stuxxn.github.io/advisory/2024/10/02/openshift-build-docker-priv-esc.html"}], "datePublic": "2024-09-16T08:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-250", "description": "Execution with Unnecessary Privileges", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-250: Execution with Unnecessary Privileges", "workarounds": [{"lang": "en", "value": "Cluster admins can follow the instructions in \"Securing Builds by Strategy\" to block use of the \"Docker\" build strategy on a cluster, or restrict the use to a set of highly trusted users, until the cluster is able to be upgraded.\n\nhttps://docs.openshift.com/container-platform/4.16/cicd/builds/securing-builds-by-strategy.html"}], "timeline": [{"lang": "en", "time": "2024-08-01T15:12:45+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-16T08:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Armin Stock for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-24T19:21:43.241Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-07T20:31:09.766421Z", "id": "CVE-2024-7387", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-07T20:31:23.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7387", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-07T20:31:09.766421Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T15:58:40.387Z"}}], "cna": {"title": "Openshift/builder: path traversal allows command injection in privileged buildcontainer using docker build strategy", "credits": [{"lang": "en", "value": "Red Hat would like to thank Armin Stock for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:openshift:4.12::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.12", "versions": [{"status": "unaffected", "version": "v4.12.0-202409121032.p1.g609473f.assembly.stream.el8", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-docker-builder", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.13::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "versions": [{"status": "unaffected", "version": "v4.13.0-202409120505.p1.g2c7e99d.assembly.stream.el8", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-docker-builder", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.14::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "versions": [{"status": "unaffected", "version": "v4.14.0-202409111409.p1.g52565ca.assembly.stream.el8", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-docker-builder", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.15::el8", "cpe:/a:redhat:openshift:4.15::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "versions": [{"status": "unaffected", "version": "v4.15.0-202409101936.p1.ge7749a3.assembly.stream.el8", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-docker-builder", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.16::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.16", "versions": [{"status": "unaffected", "version": "v4.16.0-202409101737.p1.gfee4b58.assembly.stream.el9", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-docker-builder-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-08-01T15:12:45+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-16T08:00:00+00:00", "value": "Made public."}], "datePublic": "2024-09-16T08:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6685", "name": "RHSA-2024:6685", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6687", "name": "RHSA-2024:6687", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6689", "name": "RHSA-2024:6689", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6691", "name": "RHSA-2024:6691", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6705", "name": "RHSA-2024:6705", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7387", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302259", "name": "RHBZ#2302259", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://stuxxn.github.io/advisory/2024/10/02/openshift-build-docker-priv-esc.html"}], "workarounds": [{"lang": "en", "value": "Cluster admins can follow the instructions in \"Securing Builds by Strategy\" to block use of the \"Docker\" build strategy on a cluster, or restrict the use to a set of highly trusted users, until the cluster is able to be upgraded.\n\nhttps://docs.openshift.com/container-platform/4.16/cicd/builds/securing-builds-by-strategy.html"}], "descriptions": [{"lang": "en", "value": "A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the \u201cDocker\u201d strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "Execution with Unnecessary Privileges"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-24T19:21:43.241Z"}, "x_redhatCweChain": "CWE-250: Execution with Unnecessary Privileges"}}, "cveMetadata": {"cveId": "CVE-2024-7387", "state": "PUBLISHED", "dateUpdated": "2024-11-24T19:21:43.241Z", "dateReserved": "2024-08-01T15:14:15.077Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-16T23:58:35.176Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the \u201cDocker\u201d strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en openshift/builder. Esta vulnerabilidad permite la inyecci\u00f3n de comandos a trav\u00e9s de un path traversal, donde un usuario malintencionado puede ejecutar comandos arbitrarios en el nodo OpenShift que ejecuta el contenedor de compilaci\u00f3n. Al utilizar la estrategia \u201cDocker\u201d, los archivos ejecutables dentro del contenedor de compilaci\u00f3n privilegiado se pueden anular utilizando el atributo `spec.source.secrets.secret.destinationDir` de la definici\u00f3n `BuildConfig`. Un atacante que ejecute c\u00f3digo en un contenedor privilegiado podr\u00eda aumentar sus permisos en el nodo que ejecuta el contenedor."}], "id": "CVE-2024-7387", "lastModified": "2024-10-03T21:15:08.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-09-17T00:15:52.757", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6685"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6687"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6689"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6691"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6705"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-7387"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302259"}, {"source": "secalert@redhat.com", "url": "https://stuxxn.github.io/advisory/2024/10/02/openshift-build-docker-priv-esc.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-250"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Armin Stock for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:6705", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift4/ose-docker-builder:v4.12.0-202409121032.p1.g609473f.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6691", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "package": "openshift4/ose-docker-builder:v4.13.0-202409120505.p1.g2c7e99d.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6689", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "package": "openshift4/ose-docker-builder:v4.14.0-202409111409.p1.g52565ca.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6685", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift4/ose-docker-builder:v4.15.0-202409101936.p1.ge7749a3.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:6687", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-docker-builder-rhel9:v4.16.0-202409101737.p1.gfee4b58.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-09-19T00:00:00Z"}], "bugzilla": {"description": "openshift/builder: Path traversal allows command injection in privileged BuildContainer using docker build strategy", "id": "2302259", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302259"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-250", "details": ["A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the \u201cDocker\u201d strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container.", "A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the \u201cDocker\u201d strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container."], "mitigation": {"lang": "en:us", "value": "Cluster admins can follow the instructions in \"Securing Builds by Strategy\" to block use of the \"Docker\" build strategy on a cluster, or restrict the use to a set of highly trusted users, until the cluster is able to be upgraded.\nhttps://docs.openshift.com/container-platform/4.16/cicd/builds/securing-builds-by-strategy.html"}, "name": "CVE-2024-7387", "public_date": "2024-09-16T08:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-7387\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7387\nhttps://stuxxn.github.io/advisory/2024/10/02/openshift-build-docker-priv-esc.html"], "statement": "In all versions of OpenShift, the \"Custom\" build strategy gives developers permission to run arbitrary commands in a privileged container. This is disabled by default, and documentation explicitly warns that this should only be enabled for highly trusted users (eg: cluster admins). We therefore do not consider this vulnerability a privilege escalation path for \"Custom\" strategy builds.\nMicroshift is not affected by this vulnerability. MicroShift does not include this OpenShift API.\nThe Builds for Red Hat OpenShift Operator based on Shipwright is not affected by this vulnerability.", "threat_severity": "Important"}