2296053 – (CVE-2024-7631) CVE-2024-7631 openshift-console: OpenShift Console: Path traversal

Bug 2296053 (CVE-2024-7631) - CVE-2024-7631 openshift-console: OpenShift Console: Path traversal

Summary: CVE-2024-7631 openshift-console: OpenShift Console: Path traversal

Keywords:
Status:	NEW
Alias:	CVE-2024-7631
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-05 21:05 UTC by Marco Benatto
Modified:	2025-03-19 17:49 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-07-05 21:05:30 UTC

Path traversal is a vulnerability that allows an attacker to read arbitrary files and directories that are stored outside of the intended files to distribute. This might include sensitive files like secrets, configuration files as well as sensitive operating system files (like /etc/passwd). 
The OpenShift Console has an endpoint for plugins to serve resources in multiple languages: /locales/resources.json The lng and ns parameters for this endpoint are used to unsafely construct a filepath in pkg/plugins/handlers.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console's pod by using sequences of ../ and valid directory paths.

Impact:
Because of the affected endpoint's logic, only files with the .json extension can be accessed, limiting greatly the impact of this vulnerability. No security-impactful JSON files could be identified on the console's pod.

Note You need to log in before you can comment on or make changes to this bug.