Openshift-logging: lokistack authorisation is cached too broadly
CVE-2023-4456
5.7MEDIUM
Key Information:
- Vendor
- Red Hat
- Vendor
- CVE Published:
- 21 August 2023
Summary
A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.
Affected Version(s)
RHOL-5.5-RHEL-8 v0.1.0-327
RHOL-5.6-RHEL-8 v0.1.0-326
RHOL-5.7-RHEL-8 v0.1.0-325
References
CVSS V3.1
Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This issue was discovered by Robert Jacob (Red Hat).