Lucene search

RedhatCVELIST:CVE-2024-1342

HistoryFeb 16, 2024 - 3:20 p.m.

CVE-2024-1342 Openshift: existing cross-site request forgery protection insufficient for websocket creation

2024-02-1615:20:53

CWE-352

redhat

www.cve.org

openshift

csrf

protection

flaw

websocket creation

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

A flaw was found in OpenShift. The existing Cross-Site Request Forgery (CSRF) protections in place do not properly protect GET requests, allowing for the creation of WebSockets via CSRF.

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openshift",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift:4"
    ]
  }
]

References

access.redhat.com/security/cve/CVE-2024-1342

bugzilla.redhat.com/show_bug.cgi?id=2259960

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVELIST:CVE-2024-1342