Skip to content

Skupper uses a static cookie secret for the openshift oauth-proxy

Moderate severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Aug 4, 2024

Package

gomod github.com/skupperproject/skupper (Go)

Affected versions

< 0.0.0-20240703184342-c26bce4079ff

Patched versions

0.0.0-20240703184342-c26bce4079ff

Description

A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.

References

Published by the National Vulnerability Database Jul 17, 2024
Published to the GitHub Advisory Database Jul 17, 2024
Reviewed Jul 17, 2024
Last updated Aug 4, 2024

Severity

Moderate

EPSS score

0.052%
(21st percentile)

Weaknesses

CVE ID

CVE-2024-6535

GHSA ID

GHSA-w799-v85j-88pg

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.