CVE-2023-0813

Summary

A flaw was found in the Network Observability plugin for OpenShift console. Unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced, allowing any user who can connect to the OpenShift Console in an OpenShift cluster to retrieve flows without authentication.

Affected Software

VendorProductVersion RangeStatus
3badecfc675f63d7f497c4d86c296a0b9ac267e7 < *unaffected
Red HatNETWORK-OBSERVABILITY-1.1.0-RHEL-8v1.1.0-10 < *unaffected

Weaknesses

  • CWE-285: Improper Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References