Creation Date : March 21, 2025
Source : Red Hat Security Bulletin
Classification :
- Impact: Loss of confidentiality
- Exploit: Unknown exploit
- Solution: Unknown solution
Product Status:
Vendor Product Version
Red Hat OpenShift 4
Conclusion
A vulnerability of medium severity has been identified in the OpenShift console at the /locales/resources.json endpoint, which is used to provide multilingual resources via plugins. The lng and ns parameters are insecurely handled in the code (pkg/plugins/handles/unsafely.go #L112) for generating file paths. This flaw allows an authenticated user to manipulate these parameters using sequences like ../ to access any JSON file on the console pod via a directory traversal attack.
References:
- CVE-2024-7631
- CVSS Score: 4.30
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (Vector String)
Red Hat Bugzilla:
Vendor-Specific Advisory URL:
Mitigation:
- Currently, Red Hat does not recommend mitigation measures. Please update to a patched version of the component as soon as it becomes available.
