CVE-2024-7631

Vulnerability

The /locales/resources.json endpoint in the OpenShift Console (bridge) uses the lng and ns query parameters to build a file path when loading locale resource files. This filepath construction occurs in pkg/plugins/handlers/unsafely.go at line 112 and does not properly sanitize or validate sequences such as ../ [1][3]. Consequently, an attacker can inject path traversal payloads into these parameters to escape the intended locale directory.

Exploitation

An attacker must first authenticate to the OpenShift Console, as the endpoint requires a valid session. The only prerequisite is the ability to issue HTTP requests to the console—no special privileges are needed beyond authentication. By crafting requests with parameters like lng=../../etc/kubernetes&ns=somefile, an authenticated user can force the server to read any accessible JSON file on the pod’s filesystem [1][4]. The endpoint returns the JSON content directly in the response.

Impact

Successful exploitation allows the attacker to read arbitrary JSON files from the console’s container filesystem. This could expose sensitive configuration data, service account tokens, or other secrets stored as JSON files on the pod. The vulnerability is rated Medium (CVSS 4.3) because it requires authentication and only affects JSON files, limiting impact compared to arbitrary file reads of other formats or from other pods [1][3].

Mitigation

Red Hat has released patched versions of the OpenShift Console (version 6.0.7 and later) that properly validate and sanitize the lng and ns parameters [2][4]. Users should update to the latest console version available for their OpenShift release. No workaround is provided other than restricting network access to the console’s pod via network policies.