2272948 – (CVE-2024-31419) CVE-2024-31419 cnv: information disclosure through the usage of vm-dump-metrics

Bug 2272948 (CVE-2024-31419) - CVE-2024-31419 cnv: information disclosure through the usage of vm-dump-metrics

Summary: CVE-2024-31419 cnv: information disclosure through the usage of vm-dump-metrics

Keywords:
Status:	NEW
Alias:	CVE-2024-31419
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2270471
TreeView+	depends on / blocked

Reported:	2024-04-03 12:42 UTC by Zack Miele
Modified:	2024-04-03 16:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:	CNV 4.15.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Zack Miele 2024-04-03 12:42:08 UTC

An information disclosure flaw was discovered in OpenShift Virtualization. The DownwardMetrics feature was introduced to expose host metrics to virtual machine guests and is enabled by default.  This could expose limited host metrics of a node to any guest in any namespace without being explicit enabled by an administrator.

Comment 3 Dominik Holler 2024-04-03 14:38:12 UTC

@zmiele

Comment 4 Dominik Holler 2024-04-03 14:41:30 UTC

Can the bug be already closed, and will this update the state in https://access.redhat.com/security/cve/CVE-2024-31419 ?

Comment 5 Zack Miele 2024-04-03 15:27:31 UTC

Yes, I'll close this shortly.

Note You need to log in before you can comment on or make changes to this bug.