CVE-2024-12582
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Summary
A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 1.8.3 | affected | ||
| Red Hat | Service Interconnect 1 for RHEL 9 | 1.8.3-1 < * | unaffected |
| Red Hat | Service Interconnect 1 for RHEL 9 | 1.8.3-1 < * | unaffected |
| Red Hat | Service Interconnect 1 for RHEL 9 | 1.8.3-1 < * | unaffected |
| Red Hat | Service Interconnect 1 for RHEL 9 | 1.8.3-1 < * | unaffected |
| Red Hat | Service Interconnect 1 for RHEL 9 | 1.8.3-1 < * | unaffected |
| Red Hat | Service Interconnect 1 for RHEL 9 | 2.7.3-1 < * | unaffected |
| Red Hat | Service Interconnect 1 for RHEL 9 | 1.8.3-1 < * | unaffected |
| Red Hat | Service Interconnect 1 for RHEL 9 | 1.8.3-1 < * | unaffected |
Weaknesses
- CWE-305: Authentication Bypass by Primary Weakness
Workarounds
For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use "unsecured" where authentication is not a primary concern.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHSA-2025:1413
- https://access.redhat.com/security/cve/CVE-2024-12582
- https://bugzilla.redhat.com/show_bug.cgi?id=2333540
- https://github.com/skupperproject/skupper/pull/1833
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.