CVE-2024-7079

A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*

History

26 Jul 2024, 10:15

Type Values Removed Values Added
Summary
  • (es) Se encontró una falla en la consola Openshift. El endpoint /API/helm/verify tiene la tarea de buscar y verificar la instalación de un gráfico Helm desde un URI que sea HTTP/HTTPS remoto o local. El acceso a este endpoint está controlado por la función de middleware authHandlerWithUser(). Al contrario de lo que sugiere su nombre, esta función de middleware no verifica la validez de las credenciales del usuario. Como resultado, los usuarios no autenticados pueden acceder a este endpoint.

25 Jul 2024, 17:31

Type Values Removed Values Added
First Time Redhat
Redhat openshift Container Platform
CVSS v2 : unknown
v3 : 5.4
v2 : unknown
v3 : 6.5
References () https://access.redhat.com/security/cve/CVE-2024-7079 - () https://access.redhat.com/security/cve/CVE-2024-7079 - Vendor Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=2299678 - () https://bugzilla.redhat.com/show_bug.cgi?id=2299678 - Issue Tracking
CPE cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

24 Jul 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-24 16:15

Updated : 2024-09-19 06:15


NVD link : CVE-2024-7079

Mitre link : CVE-2024-7079

CVE.ORG link : CVE-2024-7079


JSON object : View

Products Affected

redhat

  • openshift_container_platform
CWE
CWE-306

Missing Authentication for Critical Function