Lucene search

K

Veracode Vulnerability DatabaseVERACODE:48134

HistoryJul 19, 2024 - 8:48 a.m.

Authentication Bypass

2024-07-1908:48:32

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4

skupper

authentication bypass

openshift oauth-proxy

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

20.9%

Skupper is vulnerable to Authentication Bypass. The vulnerability is due to configuring the OpenShift oauth-proxy with a static cookie-secret, which allows an attacker to bypass authentication via a specially-crafted cookie when console-auth is set to OpenShift.

References

access.redhat.com/errata/RHSA-2024:4865

access.redhat.com/errata/RHSA-2024:4871

access.redhat.com/security/cve/CVE-2024-6535

bugzilla.redhat.com/show_bug.cgi?id=2296024

github.com/advisories/GHSA-w799-v85j-88pg

github.com/skupperproject/skupper/commit/d2cb3782e807853694ee66b6e3d4a1917485eb71

github.com/skupperproject/skupper/issues/1531

github.com/skupperproject/skupper/releases/tag/1.7.2

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

20.9%

Related for VERACODE:48134

redhatcve1 nvd1 vulnrichment1 cvelist1 github1 osv2 cve1 redhat2