CVE-2024-7631

Aliases:GHSA-69x5-hjg4-m267GO-2025-3539
Advisory lineage Upstream: 0 Downstream: 1
Deferred
Published: 19 Mar 2025, 18:47
Last modified:24 Mar 2026, 13:20

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.06% LOW
0% probability -0.10%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

19 Mar 2025, 18:47
Published
Vulnerability first disclosed
24 Mar 2026, 13:20
Last Modified
Vulnerability information updated

Description

A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint's lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console's pod by using sequences of ../ and valid directory paths.

CVSS Metrics

  • v3.1MEDIUMScore: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.06% Percentile: 19%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • github.com/openshiftconsole

    all | ≤ 6.0.6

References (6)