{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-1725", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-02-21T20:27:59.807Z", "datePublished": "2024-03-07T20:09:11.616Z", "dateUpdated": "2024-05-08T01:51:31.044Z"}, "containers": {"cna": {"title": "Kubevirt-csi: persistentvolume allows access to hcp's root node", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/kubevirt-csi-driver-rhel8", "defaultStatus": "affected", "versions": [{"version": "v4.13.0-202404200313.p0.g9d909f7.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/kubevirt-csi-driver-rhel8", "defaultStatus": "affected", "versions": [{"version": "v4.14.0-202404161544.p0.g48fafc4.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.14::el9", "cpe:/a:redhat:openshift:4.14::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/kubevirt-csi-driver-rhel8", "defaultStatus": "affected", "versions": [{"version": "v4.15.0-202403220332.p0.gd3bdbce.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1559", "name": "RHSA-2024:1559", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1891", "name": "RHSA-2024:1891", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2047", "name": "RHSA-2024:2047", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1725", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265398", "name": "RHBZ#2265398", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-03-06T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-501", "description": "Trust Boundary Violation", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-501: Trust Boundary Violation", "timeline": [{"lang": "en", "time": "2024-02-19T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-03-06T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-08T01:51:31.044Z"}}}}

{"descriptions": [{"lang": "en", "value": "A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el componente kubevirt-csi del plano de control alojado (HCP) de OpenShift Virtualization. Este problema podr\u00eda permitir que un atacante autenticado obtenga acceso al volumen del nodo trabajador HCP ra\u00edz mediante la creaci\u00f3n de un volumen persistente personalizado que coincida con el nombre de un nodo trabajador."}], "id": "CVE-2024-1725", "lastModified": "2024-05-08T02:15:09.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-03-07T20:15:50.690", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1559"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1891"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2047"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-1725"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265398"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-501"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{}