Openshift/telemeter: iss check during jwt authentication can be bypassed
CVE-2024-5037

7.5HIGH

Key Information:

Status
Red Hat Openshift Container Platform 4.12
Red Hat Openshift Container Platform 4.13
Red Hat Openshift Container Platform 4.14
Vendor
CVE Published:
5 June 2024

What is CVE-2024-5037?

A vulnerability exists within OpenShift's Telemeter component, enabling attackers to exploit a flaw in JSON Web Token (JWT) authentication. This flaw arises when certain conditions are fulfilled, allowing the use of forged tokens to skip the necessary 'iss' check during authentication, thereby granting unauthorized access. Organizations utilizing OpenShift should prioritize the implementation of security measures and updates to safeguard against potential exploitation of this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/errata/RHSA-2024:4151
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:4156
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:4329
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.