CVE-2024-12582

Dec. 24, 2024, 4:15 a.m.

7.1
High

Description

A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.

Product(s) Impacted

Product Versions
skupper console

Weaknesses

CWE-305
Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

References

https://access.redhat.com/security/cve/CVE-2024-12582
https://bugzilla.redhat.com/show_bug.cgi?id=2333540

Tags

secalert@redhat.com
CWE-305
2024-12-24
CVE-2024-12582

CVSS Score

7.1 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Date

  • Published: Dec. 24, 2024, 4:15 a.m.
  • Last Modified: Dec. 24, 2024, 4:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

secalert@redhat.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.