CRITICAL🇵🇱 Wersja polska

CVE-2025-62878

CVSS 9.9v3.1pub. 2026-02-25upd. 2026-04-15

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.

🤖 AI Analysis
How it works

An attacker with regular user privileges can craft a value of the `parameters.pathPattern` parameter containing path traversal sequences (e.g., `../`). The PersistentVolumes creation mechanism does not properly filter or validate this value, causing the target volume path to be resolved outside the intended working directory. As a result, the newly created PersistentVolume can be placed anywhere in the host node's file system, including locations reserved for the operating system.

Impact

An attacker can overwrite sensitive system files on the host node or gain access to unauthorized directories, which may result in privilege escalation, system integrity violation, or permanent system compromise. The attack scope extends beyond the requesting user's environment (Scope: Changed).

Mitigation & patch

Apply patches available from the vendor according to the references (https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62878 and https://github.com/advisories/GHSA-jr3w-9vfr-c746). Until the fix is implemented, restrict permissions to create PersistentVolumes only to trusted users and administrative roles.

Who is affected

Versions specified in the vendor's references (details available at the addresses in the references section: bugzilla.suse.com and GitHub Advisory GHSA-jr3w-9vfr-c746)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References