CVE-2024-6508
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat OpenShift Container Platform 4.12 | v4.12.0-202412201659.p0.g8910d84.assembly.stream.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.13 | v4.13.0-202411300029.p0.g68accd9.assembly.stream.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.14 | v4.14.0-202411131205.p0.g839a801.assembly.stream.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.15 | v4.15.0-202411060036.p0.gd8360d4.assembly.stream.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | v4.16.0-202410231737.p0.gf0870c3.assembly.stream.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.17 | v4.17.0-202410091535.p0.ge61f187.assembly.stream.el9 < * | unaffected |
Weaknesses
- CWE-331: Insufficient Entropy
Workarounds
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/errata/RHSA-2024:10813
- https://access.redhat.com/errata/RHSA-2024:7922
- https://access.redhat.com/errata/RHSA-2024:8415
- https://access.redhat.com/errata/RHSA-2024:8991
- https://access.redhat.com/errata/RHSA-2024:9620
- https://access.redhat.com/errata/RHSA-2025:0014
- https://access.redhat.com/security/cve/CVE-2024-6508
- https://bugzilla.redhat.com/show_bug.cgi?id=2295777
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.