CVE-2024-25131: 
Linux openSUSE vulnerability analysis and mitigation

A vulnerability was discovered in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated, tracked as CVE-2024-25131. The vulnerability was disclosed on December 19, 2024, and allows a non-privileged user on the cluster to create a MustGather object with specially crafted contents and set the most privileged service account to run the job (NVD).

The vulnerability stems from improper input validation (CWE-20) in the MustGather CRD implementation. The flaw exists because no permissions are defined to access the MustGather CRD, allowing developer-privileged accounts to create such resources through a bypass in Managed Resources Admission Webhook. The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Red Hat CVE).

The vulnerability allows a standard developer user to escalate their privileges to a cluster administrator. Once cluster administrator privileges are obtained, the attacker can read the kube-system/osdManage secret and pivot to the AWS environment with administrator privileges (Bugzilla).

The vulnerability has been addressed through multiple fixes: removing the ability to pass in custom mustgather images (GitHub PR 135) and preventing values from the MustGather resource from bleeding into other fields from the Job template (GitHub PR 138). The recommended fixes include allowing only cluster-admin role users to create MustGather objects, replacing the Job definition template with Go structs, and validating user inputs (Bugzilla).