CVE-2023-4456

Summary

A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.

Affected Software

VendorProductVersion RangeStatus
Red HatRHOL-5.5-RHEL-8v0.1.0-327 < *unaffected
Red HatRHOL-5.6-RHEL-8v0.1.0-326 < *unaffected
Red HatRHOL-5.7-RHEL-8v0.1.0-325 < *unaffected

Weaknesses

  • CWE-1220: Insufficient Granularity of Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References