Redhat Service Interconnect vulnerabilities

CVE-2024-6535 [MEDIUM] CWE-1392 CVE-2024-6535: A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-a A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.

CVE-2023-5056 [MEDIUM] CWE-862 CVE-2023-5056: A flaw was found in the Skupper operator, which may permit a certain configuration to create a servi A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.

CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.