CVE-2024-5651

Published: Aug 12, 2024Modified: Jun 17, 2026Deferred

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in the Fence Agents Remediation operator. This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the --ssh-path/--telnet-path arguments. A low-privilege user, for example, a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting --ssh-path/--telnet-path arguments to execute arbitrary commands on the operator's pod. This RCE leads to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges.

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (3)

https://access.redhat.com/errata/RHSA-2024:5453

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2024-5651

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2290540

Source: secalert@redhat.com

Timeline

No history available yet.