CVE-2024-6508

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:7922
https://access.redhat.com/errata/RHSA-2024:8415
https://access.redhat.com/errata/RHSA-2024:8991
https://access.redhat.com/errata/RHSA-2024:9620
https://access.redhat.com/security/cve/CVE-2024-6508
https://bugzilla.redhat.com/show_bug.cgi?id=2295777

Configurations

No configuration.

History

21 Nov 2024, 19:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:8991 - () https://access.redhat.com/errata/RHSA-2024:9620 -

30 Oct 2024, 11:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:8415 -

16 Oct 2024, 07:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:7922 -

21 Aug 2024, 12:30

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-21 06:15

Updated : 2024-11-21 19:15

NVD link : CVE-2024-6508

Mitre link : CVE-2024-6508

CVE.ORG link : CVE-2024-6508

JSON object : View

Products Affected

No product.

CWE

CWE-331

Insufficient Entropy

{"id": "CVE-2024-6508", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}]}, "published": "2024-08-21T06:15:08.120", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:7922", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:8415", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:8991", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:9620", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-6508", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295777", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-331"}]}], "descriptions": [{"lang": "en", "value": "An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim\u2019s current application account using a third-party account without any restrictions."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de entrop\u00eda insuficiente en Openshift Console. En el tipo de c\u00f3digo de autorizaci\u00f3n y el tipo de concesi\u00f3n impl\u00edcita, el protocolo OAuth2 es vulnerable a un ataque de Cross-Site Request Forgery (CSRF) si el par\u00e1metro de estado se utiliza de manera ineficiente. Esta falla permite iniciar sesi\u00f3n en la cuenta de la aplicaci\u00f3n actual de la v\u00edctima utilizando una cuenta de terceros sin ninguna restricci\u00f3n."}], "lastModified": "2024-11-21T19:15:13.060", "sourceIdentifier": "secalert@redhat.com"}