CVE-2024-6508

Summary

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat OpenShift Container Platform 4.12v4.12.0-202412201659.p0.g8910d84.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.13v4.13.0-202411300029.p0.g68accd9.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.14v4.14.0-202411131205.p0.g839a801.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.15v4.15.0-202411060036.p0.gd8360d4.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.16v4.16.0-202410231737.p0.gf0870c3.assembly.stream.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.17v4.17.0-202410091535.p0.ge61f187.assembly.stream.el9 < *unaffected

Weaknesses

  • CWE-331: Insufficient Entropy

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References