Openshift-logging: lokistack authorisation is cached too broadly
CVE-2023-4456

5.7MEDIUM

Key Information:

Vendor
Red Hat
Vendor
CVE Published:
21 August 2023

Summary

A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.

Affected Version(s)

RHOL-5.5-RHEL-8 v0.1.0-327

RHOL-5.6-RHEL-8 v0.1.0-326

RHOL-5.7-RHEL-8 v0.1.0-325

References

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Robert Jacob (Red Hat).
.