CVE-2024-28849 is an information disclosure vulnerability (CWE-200) impacting Red Hat OpenShift Pipelines 1.15.0, a cloud-native CI/CD platform based on Tekton. The vulnerability is included in the list of CVEs addressed by the Red Hat OpenShift Pipelines Operator Bundle 1.15.0 release. OpenShift Pipelines enables defining and running CI/CD pipelines across Kubernetes and other platforms. The vendor advisory (RHEA-2024:3997) announces the 1.15.0 release with multiple CVE fixes but does not explicitly state the patch status or mitigation steps for this specific CVE. No CVSS score is provided, and no known exploits have been reported. The product is not cloud-hosted, so remediation requires applying vendor updates.

The vulnerability allows unauthorized information disclosure within Red Hat OpenShift Pipelines 1.15.0. This could potentially expose sensitive pipeline or deployment data. However, no known exploits are currently reported in the wild. The impact is rated medium severity by the vendor, consistent with CWE-200 classification. The vulnerability affects multiple architectures including x86_64, ppc64le, s390x, and aarch64 versions of OpenShift Pipelines 1.15.

The vendor advisory does not explicitly confirm a patch for CVE-2024-28849 but announces the release of OpenShift Pipelines Operator Bundle 1.15.0, which addresses multiple CVEs including this one. Users should ensure all previously released errata relevant to their system are applied before updating to 1.15.0. Follow Red Hat's official update procedures as documented at https://access.redhat.com/articles/11258. Patch status is not yet confirmed—check the Red Hat advisory (https://access.redhat.com/errata/RHEA-2024:3997) for the latest remediation guidance. No additional mitigation steps are specified.