CVE-2024-7387

CRITICAL

OpenShift Builder - Command Injection via Path Traversal in BuildConfig Secret DestinationDir

Title source: llm

Exploitation Summary

EIP tracks 6 public exploits for CVE-2024-7387. PoCs published by pairofglasses, eggpratacurry, biggerbangg.

AI-analyzed exploit summary The repository contains a minimal Dockerfile and a README that redirects to an external site without providing any technical details or exploit code. This is indicative of a social engineering lure rather than a legitimate PoC.

Description

A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the “Docker” strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container.

Exploits (6)

nomisec SUSPICIOUS

by pairofglasses · poc

https://github.com/pairofglasses/cve-2024-7387

View Code ZIP pw:eip

The repository contains a minimal Dockerfile and a README that redirects to an external site without providing any technical details or exploit code. This is indicative of a social engineering lure rather than a legitimate PoC.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

Prerequisites: none

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 12, 2026 Full analysis →

nomisec SUSPICIOUS

by eggpratacurry · poc

https://github.com/eggpratacurry/cve-2024-7387

View Code ZIP pw:eip

The repository contains no actual exploit code, only a Dockerfile that performs trivial operations and a README redirecting to an external site. This is indicative of a social engineering lure rather than a legitimate PoC.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

Prerequisites: none

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 26, 2026 Full analysis →

nomisec SUSPICIOUS

by biggerbangg · poc

https://github.com/biggerbangg/cve-2024-7387

View Code ZIP pw:eip

The repository contains no functional exploit code, only a Dockerfile that lists files and a README redirecting to an external site. This is characteristic of a social engineering lure.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 18, 2026 Full analysis →

nomisec SUSPICIOUS

by b334r · poc

https://github.com/b334r/cve-2024-7387

View Code ZIP pw:eip

The repository contains no actual exploit code, only a Dockerfile that performs trivial operations and a README redirecting to an external site. This is a classic social engineering lure.

Classification

Suspicious 95%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

Prerequisites: none

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec WORKING POC

by pwnc4t · poc

https://github.com/pwnc4t/cve-2024-7387

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-7387, leveraging OpenShift's secret mounting mechanism to overwrite the `/usr/bin/cp` binary with a malicious script. The exploit chains this with a BuildConfig to execute arbitrary commands, ultimately granting SSH access to the worker node.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenShift Container Platform (specific version not specified)

Auth required

Prerequisites: Access to OpenShift cluster with permissions to create secrets and BuildConfigs · Git repository hosting the exploit files · Worker node with writable `/usr/bin` directory

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 08, 2026 Full analysis →

nomisec WORKING POC

by tevsho · poc

https://github.com/tevsho/cve-2024-7387

View Code ZIP pw:eip

This PoC exploits a vulnerability in OpenShift by overwriting the `/usr/bin/cp` binary via a malicious secret, leading to arbitrary command execution during build processes. The exploit establishes an SSH backdoor on the worker node by injecting an SSH key into the authorized_keys file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenShift (specific version not specified)

Auth required

Prerequisites: Access to OpenShift cluster with permissions to create secrets and build configurations · Worker node with writable `/usr/bin` directory

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1552.001 - Credentials In Files T1098 - Account Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →