CVE-2024-7387 CRITICAL

CVE-2024-7387: Openshift/builder: path traversal allows command injection in privileged buildcontainer using docker build strategy

Weakness CWE-250
Published September 16, 2024
Last update March 24, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the “Docker” strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container.

Key dates

02Disclosure timeline

September 16, 2024 CVE published
March 24, 2026 Record updated