CVE-2024-5651 – Fence-agents-remediation: fence agent command line options leads to remote code execution

https://notcve.org/view.php?id=CVE-2024-5651

12 Aug 2024 — A flaw was found in fence agents that rely on SSH/Telnet. This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the --ssh-path/--telnet-path arguments. A low-privilege user, for example, a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting --ssh-path/--telnet-path arguments to execute arbitrary commands on the operator's pod. This RCE leads to a privilege escalation, first as the servic... • https://access.redhat.com/security/cve/CVE-2024-5651 • CWE-94: Improper Control of Generation of Code ('Code Injection') •