CVE-2026-1784
Ose-cluster-ingress-operator: remote code execution through haproxy configuration injection
The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Produtos afetados
Red Hat · Red Hat OpenShift Container Platform 4Red Hat · Red Hat OpenShift Container Platform 4.16Red Hat · Red Hat OpenShift Container Platform 4.18Red Hat · Red Hat OpenShift Container Platform 4.19Red Hat · Red Hat OpenShift Container Platform 4.20Red Hat · Red Hat OpenShift Container Platform 4.21Quer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://access.redhat.com/errata/RHSA-2026:23241https://access.redhat.com/errata/RHSA-2026:23246https://access.redhat.com/errata/RHSA-2026:25045https://access.redhat.com/errata/RHSA-2026:25182https://access.redhat.com/errata/RHSA-2026:25194https://access.redhat.com/security/cve/CVE-2026-1784https://bugzilla.redhat.com/show_bug.cgi?id=2436075