8

CVE-2024-6508

Openshift-console: oauth2 insufficient state parameter entropy

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/openshift/console
Paket openshift-console
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.12
Default Statusaffected
Version v4.12.0-202412201659.p0.g8910d84.assembly.stream.el8
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.13
Default Statusaffected
Version v4.13.0-202411300029.p0.g68accd9.assembly.stream.el8
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.14
Default Statusaffected
Version v4.14.0-202411131205.p0.g839a801.assembly.stream.el8
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.15
Default Statusaffected
Version v4.15.0-202411060036.p0.gd8360d4.assembly.stream.el8
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.16
Default Statusaffected
Version v4.16.0-202410231737.p0.gf0870c3.assembly.stream.el9
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.17
Default Statusaffected
Version v4.17.0-202410091535.p0.ge61f187.assembly.stream.el9
Version < *
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.42
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 8 1.3 6
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

https://access.redhat.com/errata/RHSA-2024:7922
https://access.redhat.com/errata/RHSA-2024:10813
https://access.redhat.com/errata/RHSA-2024:8991
https://access.redhat.com/errata/RHSA-2024:9620
https://access.redhat.com/errata/RHSA-2024:8415
https://access.redhat.com/errata/RHSA-2025:0014
https://access.redhat.com/security/cve/CVE-2024-6508
https://bugzilla.redhat.com/show_bug.cgi?id=2295777