{ "threat_severity" : "Important", "public_date" : "2024-03-06T00:00:00Z", "bugzilla" : { "description" : "kubevirt-csi: PersistentVolume allows access to HCP's root node", "id" : "2265398", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2265398" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-501", "details" : [ "A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node.", "A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.13", "release_date" : "2024-05-02T00:00:00Z", "advisory" : "RHSA-2024:2047", "cpe" : "cpe:/a:redhat:openshift:4.13::el8", "package" : "openshift4/kubevirt-csi-driver-rhel8:v4.13.0-202404200313.p0.g9d909f7.assembly.stream.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2024-04-26T00:00:00Z", "advisory" : "RHSA-2024:1891", "cpe" : "cpe:/a:redhat:openshift:4.14::el8", "package" : "openshift4/kubevirt-csi-driver-rhel8:v4.14.0-202404161544.p0.g48fafc4.assembly.stream.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.15", "release_date" : "2024-04-02T00:00:00Z", "advisory" : "RHSA-2024:1559", "cpe" : "cpe:/a:redhat:openshift:4.15::el8", "package" : "openshift4/kubevirt-csi-driver-rhel8:v4.15.0-202403220332.p0.gd3bdbce.assembly.stream.el8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-1725\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1725" ], "name" : "CVE-2024-1725", "csaw" : false }