CVE-2024-25131
Aliases:GHSA-77c2-c35q-254wGO-2024-3349
Advisory lineage Upstream: 0 Downstream: 2
Downstream
Deferred
Published: 19 Dec 2024, 14:18
Last modified:23 Jul 2025, 22:46
Vulnerability Summary
Overall Risk (default)
medium
35/100 CVSS Score
8.8 HIGH
v3.1 (cve.org)
EPSS Score
0.18% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
19 Dec 2024, 14:18
Published
Vulnerability first disclosed
23 Jul 2025, 22:46
Last Modified
Vulnerability information updated
Description
A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can allow a standard developer user to escalate their privileges to a cluster administrator and pivot to the AWS environment.
CVSS Metrics
- v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.18%• Percentile: 39%
Techniques & Countermeasures
- CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Affected Systems
- github.com/openshift•must-gather
< 0.0.0-20240604173837-d1557bc283dd | all
References (7)
- https://access.redhat.com/security/cve/CVE-2024-25131
- https://bugzilla.redhat.com/show_bug.cgi?id=2258856
- https://github.com/openshift/must-gather-operator/pull/135
- https://github.com/openshift/must-gather-operator/pull/138
- https://nvd.nist.gov/vuln/detail/CVE-2024-25131
- https://github.com/openshift/must-gather-operator
- https://github.com/advisories/GHSA-77c2-c35q-254w