CVE-2024-6535

Summary

A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.

Affected Software

VendorProductVersion RangeStatus
0 < 0.0.0-20240703184342-c26bce4079ffaffected
Red HatService Interconnect 1.4 for RHEL 91.4.7-1 < *unaffected
Red HatService Interconnect 1.4 for RHEL 91.4.7-1 < *unaffected
Red HatService Interconnect 1 for RHEL 91.5.5-1 < *unaffected
Red HatService Interconnect 1 for RHEL 91.5.5-1 < *unaffected

Weaknesses

  • CWE-1392: Use of Default Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References