Insufficient Entropy Vulnerability in Red Hat Openshift Console Allows CSRF Attacks

CVE-2024-6508

8HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Openshift Container Platform 4
Vendor: CVE Published:; 21 August 2024

Summary

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: null to: 8 - (HIGH)
Aug 21, 2024
Vulnerability published.
Aug 21, 2024
Vulnerability Reserved.
Jul 4, 2024
Reported to Red Hat.
Jun 17, 2024

Collectors

NVD DatabaseMitre Database