CVE-2024-45497: Incorrect Permission Assignment for Critical Resource
CVE-2024-45497 is a high-severity vulnerability in OpenShift 4. 16 where the docker-build container mounts the node's /var/lib/kubelet/config. json file with write permissions. This file contains sensitive credentials for pulling images from private repositories. Because the mount is not read-only, an attacker with build pod privileges can overwrite this file, causing denial of service by blocking image pulls and potentially exfiltrating secrets. The flaw impacts availability and confidentiality of services relying on image pulls. No user interaction is required, but limited privileges are needed. There are no known exploits in the wild yet. European organizations using OpenShift 4. 16 in production environments are at risk, especially those with private container registries.
AI Analysis
Technical Summary
CVE-2024-45497 is a vulnerability identified in OpenShift version 4.16 affecting the docker-build container configuration. The issue arises because the build container mounts the host node's /var/lib/kubelet/config.json file as a hostPath volume into the build pod without enforcing read-only permissions. This config.json file contains sensitive credentials required for authenticating and pulling container images from private registries. Since the mount is writable, an attacker who gains access to the build pod can overwrite or modify this file. Such modification can disrupt the node's ability to pull new images, leading to denial of service (DoS) for workloads dependent on image updates. Additionally, by manipulating or reading this file, attackers may exfiltrate sensitive credentials, compromising confidentiality. The vulnerability requires the attacker to have privileges to run or control builds within the OpenShift environment but does not require user interaction. The CVSS 3.1 score is 7.6 (high), reflecting the network attack vector, low complexity, required privileges, no user interaction, and impacts on confidentiality, integrity, and high impact on availability. No known exploits have been reported in the wild as of the publication date. The flaw highlights a misconfiguration in volume mount permissions that can be exploited to escalate privileges and disrupt cluster operations.
Potential Impact
For European organizations deploying OpenShift 4.16, this vulnerability poses significant risks. The ability to overwrite kubelet configuration files can lead to denial of service by preventing nodes from pulling updated container images, potentially causing service outages or degraded performance. Organizations relying on private container registries are at risk of credential exposure, which could lead to unauthorized access to proprietary or sensitive container images. This exposure can cascade into further compromise of internal systems if attackers leverage stolen credentials. The disruption of image pulls can affect continuous integration/continuous deployment (CI/CD) pipelines, delaying software updates and security patches. Given the critical role of container orchestration in modern cloud-native applications, the impact on availability and confidentiality can be substantial, especially in sectors like finance, healthcare, and critical infrastructure prevalent in Europe. The requirement for attacker privileges to run builds limits the attack surface but does not eliminate risk, particularly in multi-tenant or large-scale environments where build permissions may be more widely granted.
Mitigation Recommendations
To mitigate CVE-2024-45497, European organizations should immediately audit their OpenShift 4.16 environments for docker-build container configurations that mount the /var/lib/kubelet/config.json file. The mount should be changed to read-only to prevent overwriting. If possible, restrict or remove hostPath volume mounts exposing sensitive files to build pods. Implement strict role-based access control (RBAC) policies to limit which users or service accounts can initiate builds or modify build configurations. Monitor build pod activities and file system changes on nodes for suspicious behavior indicative of attempts to modify kubelet config files. Apply any available patches or updates from Red Hat or OpenShift vendors as soon as they are released. Additionally, consider isolating build environments and using image pull secrets with minimal privileges. Regularly rotate credentials used in config.json and audit access logs for anomalous access patterns. Employ network segmentation to limit exposure of critical nodes and registries.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2024-45497: Incorrect Permission Assignment for Critical Resource
Description
CVE-2024-45497 is a high-severity vulnerability in OpenShift 4. 16 where the docker-build container mounts the node's /var/lib/kubelet/config. json file with write permissions. This file contains sensitive credentials for pulling images from private repositories. Because the mount is not read-only, an attacker with build pod privileges can overwrite this file, causing denial of service by blocking image pulls and potentially exfiltrating secrets. The flaw impacts availability and confidentiality of services relying on image pulls. No user interaction is required, but limited privileges are needed. There are no known exploits in the wild yet. European organizations using OpenShift 4. 16 in production environments are at risk, especially those with private container registries.
AI-Powered Analysis
Technical Analysis
CVE-2024-45497 is a vulnerability identified in OpenShift version 4.16 affecting the docker-build container configuration. The issue arises because the build container mounts the host node's /var/lib/kubelet/config.json file as a hostPath volume into the build pod without enforcing read-only permissions. This config.json file contains sensitive credentials required for authenticating and pulling container images from private registries. Since the mount is writable, an attacker who gains access to the build pod can overwrite or modify this file. Such modification can disrupt the node's ability to pull new images, leading to denial of service (DoS) for workloads dependent on image updates. Additionally, by manipulating or reading this file, attackers may exfiltrate sensitive credentials, compromising confidentiality. The vulnerability requires the attacker to have privileges to run or control builds within the OpenShift environment but does not require user interaction. The CVSS 3.1 score is 7.6 (high), reflecting the network attack vector, low complexity, required privileges, no user interaction, and impacts on confidentiality, integrity, and high impact on availability. No known exploits have been reported in the wild as of the publication date. The flaw highlights a misconfiguration in volume mount permissions that can be exploited to escalate privileges and disrupt cluster operations.
Potential Impact
For European organizations deploying OpenShift 4.16, this vulnerability poses significant risks. The ability to overwrite kubelet configuration files can lead to denial of service by preventing nodes from pulling updated container images, potentially causing service outages or degraded performance. Organizations relying on private container registries are at risk of credential exposure, which could lead to unauthorized access to proprietary or sensitive container images. This exposure can cascade into further compromise of internal systems if attackers leverage stolen credentials. The disruption of image pulls can affect continuous integration/continuous deployment (CI/CD) pipelines, delaying software updates and security patches. Given the critical role of container orchestration in modern cloud-native applications, the impact on availability and confidentiality can be substantial, especially in sectors like finance, healthcare, and critical infrastructure prevalent in Europe. The requirement for attacker privileges to run builds limits the attack surface but does not eliminate risk, particularly in multi-tenant or large-scale environments where build permissions may be more widely granted.
Mitigation Recommendations
To mitigate CVE-2024-45497, European organizations should immediately audit their OpenShift 4.16 environments for docker-build container configurations that mount the /var/lib/kubelet/config.json file. The mount should be changed to read-only to prevent overwriting. If possible, restrict or remove hostPath volume mounts exposing sensitive files to build pods. Implement strict role-based access control (RBAC) policies to limit which users or service accounts can initiate builds or modify build configurations. Monitor build pod activities and file system changes on nodes for suspicious behavior indicative of attempts to modify kubelet config files. Apply any available patches or updates from Red Hat or OpenShift vendors as soon as they are released. Additionally, consider isolating build environments and using image pull secrets with minimal privileges. Regularly rotate credentials used in config.json and audit access logs for anomalous access patterns. Employ network segmentation to limit exposure of critical nodes and registries.
Affected Countries
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2024-08-30T10:12:13.684Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68467fab71f4d251b582404b
Added to database: 6/9/2025, 6:31:07 AM
Last enriched: 2/4/2026, 8:22:54 AM
Last updated: 2/4/2026, 1:49:43 PM
Views: 63
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-35280: Execute unauthorized code or commands in Fortinet FortiDeceptor
MediumCVE-2025-5329: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Martcode Software Inc. Delta Course Automation
CriticalCVE-2025-15368: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in themeboy SportsPress – Sports Club & League Manager
HighCVE-2025-59818: Vulnerability in Zenitel TCIS-3+
CriticalCVE-2025-41085: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Apidog Apidog Web Platform
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.