CVE-2024-45496
published 2024-09-17CVE-2024-45496: A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build…
PriorityP267critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAL
EPSS
0.89%
55.0th percentile
A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | openshift_openshift-controller-manager | >= 0 < 0.0.0-alpha.0.0.20240911 | 0.0.0-alpha.0.0.20240911 |
Detection & IOCsextracted from sources · hover to see the quote
- ·The 'Custom' build strategy is out of scope for this CVE — it already grants developers permission to run arbitrary commands in a privileged container by design, is disabled by default, and is documented as only for highly trusted users (e.g., cluster admins). ↗
- ·MicroShift is NOT affected — it does not include the OpenShift API involved in this vulnerability. ↗
- ·The Builds for Red Hat OpenShift Operator (Shipwright-based) is NOT affected. ↗
- ·An incomplete fix was identified: even after the CVE-2024-45496 patch, the buildconfigs/instantiate API still lacks a semantic deny-list for dangerous environment variable names, meaning env var injection into privileged docker-build containers remains possible (tracked as CVE-2026-7309). Practical impact is limited to non-standard minimal role configurations since the edit role already grants Secret read access. ↗
- ·The env var name validation post-fix only applies a format regex with no semantic deny-list for dangerous names, leaving a residual bypass path. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
openshift-controller-manager: Elevated Build Pods Can Lead to Node Compromise in OpenShift
vendor_redhat·2024-09-16·CVSS 9.9
CVE-2024-45496 [CRITICAL] CWE-269 openshift-controller-manager: Elevated Build Pods Can Lead to Node Compromise in OpenShift
openshift-controller-manager: Elevated Build Pods Can Lead to Node Compromise in OpenShift
A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container.
A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShi
OSV
OpenShift Controller Manager Improper Privilege Management in github.com/openshift/openshift-controller-manager
osv·2024-09-18
CVE-2024-45496 OpenShift Controller Manager Improper Privilege Management in github.com/openshift/openshift-controller-manager
OpenShift Controller Manager Improper Privilege Management in github.com/openshift/openshift-controller-manager
OpenShift Controller Manager Improper Privilege Management in github.com/openshift/openshift-controller-manager.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/openshift/openshift-controller-manager before v0.0.0-alpha.0.0.20240911.
OSV
OpenShift Controller Manager Improper Privilege Management
osv·2024-09-17
CVE-2024-45496 [MEDIUM] OpenShift Controller Manager Improper Privilege Management
OpenShift Controller Manager Improper Privilege Management
A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container.
GHSA
OpenShift Controller Manager Improper Privilege Management
ghsa·2024-09-17
CVE-2024-45496 [MEDIUM] CWE-269 OpenShift Controller Manager Improper Privilege Management
OpenShift Controller Manager Improper Privilege Management
A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-7309 openshift-controller-manager: OpenShift Container Platform: Information disclosure via environment variable injection
bugzilla·2026-04-28·CVSS 9.9
CVE-2026-7309 [CRITICAL] CVE-2026-7309 openshift-controller-manager: OpenShift Container Platform: Information disclosure via environment variable injection
CVE-2026-7309 openshift-controller-manager: OpenShift Container Platform: Information disclosure via environment variable injection
An incomplete fix for CVE-2024-45496 was identified in the OpenShift Container Platform build system. The buildconfigs/instantiate API still accepts arbitrary environment variable names (including LD_PRELOAD, PATH, BUILDAH_RUNTIME, DOCKER_CONFIG, http_proxy, https_proxy) that propagate to the docker-build container, which remains privileged: true.
A user with the stock edit ClusterRole can inject these env vars into any BuildConfig in the namespace. The env var name validation only applies a format regex with no semantic deny-list for dangerous names.
In stock OpenShift, the edit role already grants Secret read access, making proxy interception largely redu
Bugzilla
CVE-2024-45496 openshift-controller-manager: Elevated Build Pods Can Lead to Node Compromise in OpenShift
bugzilla·2024-08-30·CVSS 9.9
CVE-2024-45496 [CRITICAL] CVE-2024-45496 openshift-controller-manager: Elevated Build Pods Can Lead to Node Compromise in OpenShift
CVE-2024-45496 openshift-controller-manager: Elevated Build Pods Can Lead to Node Compromise in OpenShift
A flaw was found in the OpenShift Container Platform where the initialization container for builds (git-clone) runs with elevated privileges. This misconfiguration allows an attacker with developer access to create a malicious .gitconfig file that executes arbitrary commands on a privileged build pod. As a result, the attacker can compromise the worker node hosting the build pod, potentially gaining access to all the workloads running on that node. The impact is critical, as it allows for the compromise of the node's identity and other nodes, depending on cluster configuration.
Discussion:
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform
https://access.redhat.com/errata/RHSA-2024:3718https://access.redhat.com/errata/RHSA-2024:6685https://access.redhat.com/errata/RHSA-2024:6687https://access.redhat.com/errata/RHSA-2024:6689https://access.redhat.com/errata/RHSA-2024:6691https://access.redhat.com/errata/RHSA-2024:6705https://access.redhat.com/security/cve/CVE-2024-45496https://bugzilla.redhat.com/show_bug.cgi?id=2308661
2024-09-17
Published