CVE-2024-7079 โ€” Missing Authentication for Critical Function in Redhat Openshift Container Platform

CWE-306 โ€” Missing Authentication for Critical Function4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 43.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Openshift Container Platform
Timeline
PublishedJul 24

Description

A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages0 packages

Also affects: Openshift Container Platform 3.11, 4.0

๐Ÿ”ดVulnerability Details

2
CVEList
Openshift-console: unauthenticated installation of helm chartsโ†—2024-07-24
โ–ถ
GHSA
GHSA-f9cg-c8c7-cmx3: A flaw was found in the Openshift consoleโ†—2024-07-24
โ–ถ

๐Ÿ“‹Vendor Advisories

1
Red Hat
openshift-console: Unauthenticated Installation of Helm Chartsโ†—2024-07-24
โ–ถ
CVE-2024-7079 โ€” Redhat vulnerability | cvebase