Vulnerability in Skupper Console Exposes Sensitive Data and Impacts Resource Availability

CVE-2024-12582

7.1HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Service Interconnect 1
Vendor: CVE Published:; 24 December 2024

Summary

A significant flaw exists in the Skupper Console, which serves as a read-only interface presenting network traffic details and metrics for applications configured in hybrid multi-cloud environments. The vulnerability arises when the default authentication mechanism is employed, resulting in the generation of a random password for the 'admin' user. This password is stored in plaintext within a Kubernetes secret or a Podman volume, leaving it susceptible to interception. An attacker exploiting this method can read any user-readable file within the container's filesystem, directly jeopardizing data confidentiality. Furthermore, by manipulating Skupper’s behavior, an attacker can prompt the system to read excessively large files into memory, potentially leading to a denial-of-service condition due to resource exhaustion.

References

https://access.redhat.com/security/cve/CVE-2024-12582

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2333540

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 24, 2024
Vulnerability Reserved
Dec 12, 2024

Collectors

NVD DatabaseMitre Database