CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
47.8%
A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.
[
{
"vendor": "Red Hat",
"product": "RHOL-5.5-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-logging/lokistack-gateway-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "v0.1.0-327",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:logging:5.5::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOL-5.6-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-logging/lokistack-gateway-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "v0.1.0-326",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:logging:5.6::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHOL-5.7-RHEL-8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-logging/lokistack-gateway-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "v0.1.0-325",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:logging:5.7::el8"
]
}
]