SB2025021411 - Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes 4.5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025021411

SB2025021411 - Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes 4.5

Published: February 14, 2025

Security Bulletin ID SB2025021411
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2024-11831)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Improper neutralization of argument delimiters in a command (CVE-ID: CVE-2025-21613)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation when handling URL field in arguments passed to the git-upload-pack command. A remote attacker can trick the victim into passing a specially crafted URL as a flag to the affected command and manipulate arguments for the git-upload-pack command, which can result in information disclosure.


3) Resource exhaustion (CVE-ID: CVE-2025-21614)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling responses from a malicious Git server. A remote attacker can trick the victim into connecting to a malicious Git server and perform a denial of service (DoS) attack.


4) Improper authorization (CVE-ID: CVE-2024-45337)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.


5) Resource exhaustion (CVE-ID: CVE-2024-45338)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in several Parse functions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References