CVE-2024-12582

EPSS 0.23%
Veröffentlicht 24.12.2024 04:15:05
Zuletzt bearbeitet 13.02.2025 14:15:28
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in the skupper console,  a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/skupperproject/skupper/

≫

Paket skupper

Default Statusunaffected

Version < 1.8.3

Version 0

Status affected

HerstellerRed Hat

≫

Produkt Service Interconnect 1 for RHEL 9

Default Statusaffected

Version < *

Version 1.8.3-1

Status unaffected

HerstellerRed Hat

≫

Produkt Service Interconnect 1 for RHEL 9

Default Statusaffected

Version < *

Version 1.8.3-1

Status unaffected

HerstellerRed Hat

≫

Produkt Service Interconnect 1 for RHEL 9

Default Statusaffected

Version < *

Version 1.8.3-1

Status unaffected

HerstellerRed Hat

≫

Produkt Service Interconnect 1 for RHEL 9

Default Statusaffected

Version < *

Version 1.8.3-1

Status unaffected

HerstellerRed Hat

≫

Produkt Service Interconnect 1 for RHEL 9

Default Statusaffected

Version < *

Version 1.8.3-1

Status unaffected

HerstellerRed Hat

≫

Produkt Service Interconnect 1 for RHEL 9

Default Statusaffected

Version < *

Version 2.7.3-1

Status unaffected

HerstellerRed Hat

≫

Produkt Service Interconnect 1 for RHEL 9

Default Statusaffected

Version < *

Version 1.8.3-1

Status unaffected

HerstellerRed Hat

≫

Produkt Service Interconnect 1 for RHEL 9

Default Statusaffected

Version < *

Version 1.8.3-1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.452

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

https://access.redhat.com/errata/RHSA-2025:1413

https://access.redhat.com/security/cve/CVE-2024-12582

https://bugzilla.redhat.com/show_bug.cgi?id=2333540

https://nvd.nist.gov/vuln/detail/CVE-2024-12582

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-12582

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-12582

EUVD