CVE-2024-7387 is a high-severity flaw in the OpenShift builder component, specifically openshift4/ose-docker-builder, affecting Red Hat OpenShift Container Platform 4 when using the Docker build strategy. The vulnerability arises from unsafe handling of the BuildConfig field spec.source.secrets.secret.destinationDir, which can be abused for path traversal to override executable files inside the privileged builder container. By controlling file placement in this way, a malicious user can cause arbitrary commands to be executed on the OpenShift node running the builder container. Because the builder container is privileged, successful exploitation can cross the container boundary and affect the underlying node.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
destinationDir values. Limit developer/build permissions to trusted users only, monitor for suspicious BuildConfig definitions and secret mount destinations, and review use of privileged builder containers on cluster nodes. Follow Red Hat's published mitigation instructions for this CVE.Patch, then assume compromise.
spec.source.secrets.secret.destinationDir in BuildConfig objects. Validate that builder images and build configurations cannot be used to overwrite executables within privileged build containers.1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Repository is a minimal PoC for CVE-2024-7387 targeting OpenShift builds. Structure: (1) `usr_bin` is a symlink containing `/usr/bin`, used to coerce secret mounting into the system binary directory; (2) `Dockerfile` runs `ls -la && cat pwn.txt` so any payload output written to `pwn.txt` becomes visible in build logs; (3) `README.md` provides step-by-step exploitation using OpenShift objects. Exploit flow described: create a Secret (`malicious-secret`) with a key named `cp` whose value is a bash script. Mount that secret in a BuildConfig with `destinationDir: usr_bin`. Because `usr_bin` is a symlink to `/usr/bin`, the mount overwrites `/usr/bin/cp` with the attacker script. A second Secret (`trigger-secret`) is mounted normally; OpenShift internally invokes `cp` while handling/copying build inputs, which now executes the malicious `/usr/bin/cp`. Payload capability: node compromise/persistence. The script mounts a host partition (`/dev/vda4`) to `/mnt/h`, generates an SSH keypair, appends the public key to the worker node’s `core` user `authorized_keys` under the Fedora CoreOS ostree path, fixes permissions/ownership, and writes the private key into `/tmp/build/inputs/pwn.txt`. The Dockerfile then prints `pwn.txt` during the build, allowing the attacker to recover the private key from logs and SSH to `core@WORKER_IP`.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical vulnerability in Red Hat OpenShift Container Platform 4's openshift4/ose-docker-builder component that allows arbitrary command execution on an OpenShift node, potentially enabling privilege escalation and takeover of the node running the container.
A critical vulnerability in Red Hat OpenShift Container Platform 4's openshift4/ose-docker-builder component that allows arbitrary command execution on an OpenShift node, potentially enabling privilege escalation and takeover of the node running the container.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.