{ "schema_version": "1.4.0", "id": "GHSA-fg9q-5cw2-p6r9", "modified": "2025-03-14T19:54:12Z", "published": "2024-03-07T21:30:21Z", "aliases": [ "CVE-2024-1725" ], "summary": "kubevirt-csi: PersistentVolume allows access to HCP's root node", "details": "A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/kubevirt/csi-driver" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.0.0-202403081943-cc28dcbb0afc14" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1725" }, { "type": "WEB", "url": "https://github.com/kubevirt/csi-driver/commit/cc28dcbb0afca0a7cb8a73bc998ab49f864ed560" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:1559" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:1891" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:2047" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-1725" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265398" }, { "type": "PACKAGE", "url": "https://github.com/kubevirt/csi-driver" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2025-3512" } ], "database_specific": { "cwe_ids": [ "CWE-501" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-11T20:07:55Z", "nvd_published_at": "2024-03-07T20:15:50Z" } }