Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Service Interconnect 1 for RHEL 9 by Red Hat

    CVE-2024-12582 (GCVE-0-2024-12582)

    Vulnerability from nvd – Published: 2024-12-24 03:31 – Updated: 2026-06-18 08:31
    VLAI
    Title
    Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service
    Summary
    A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-305 - Authentication Bypass by Primary Weakness
    Assigner
    Impacted products
    Vendor Product Version
    Affected: 0 , < 1.8.3 (semver)
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.8.3-1 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 2.7.3-1 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Red Hat Service Interconnect 1     cpe:/a:redhat:service_interconnect:1
    Create a notification for this product.
    Date Public
    2024-12-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12582",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-16T18:13:55.863080Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-16T18:13:59.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/skupperproject/skupper/",
              "defaultStatus": "unaffected",
              "packageName": "skupper",
              "versions": [
                {
                  "lessThan": "1.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-config-sync-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-controller-podman-container-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-controller-podman-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-flow-collector-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-operator-bundle",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-router-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.7.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-service-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-site-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1"
              ],
              "defaultStatus": "unaffected",
              "packageName": "skupper-cli",
              "product": "Red Hat Service Interconnect 1",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-12-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the skupper console,  a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T08:31:49.281Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:1413",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1413"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-12582"
            },
            {
              "name": "RHBZ#2333540",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540"
            },
            {
              "url": "https://github.com/skupperproject/skupper/pull/1833"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-12-20T17:33:05.858Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-12-20T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service",
          "workarounds": [
            {
              "lang": "en",
              "value": "For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use \"unsecured\" where authentication is not a primary concern."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-12582",
        "datePublished": "2024-12-24T03:31:24.896Z",
        "dateReserved": "2024-12-12T17:10:04.729Z",
        "dateUpdated": "2026-06-18T08:31:49.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6535 (GCVE-0-2024-6535)

    Vulnerability from nvd – Published: 2024-07-17 02:25 – Updated: 2025-11-20 19:54
    VLAI
    Title
    Skupper: potential authentication bypass to skupper console via forged cookies
    Summary
    A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2024:4865 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:4871 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-6535 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2296024 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 0 , < 0.0.0-20240703184342-c26bce4079ff (custom)
    Red Hat Service Interconnect 1.4 for RHEL 9 Unaffected: 1.4.7-1 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1.4::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.5.5-1 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Red Hat Service Interconnect 1     cpe:/a:redhat:service_interconnect:1
    Create a notification for this product.
    Date Public
    2024-07-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6535",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T15:24:58.883446Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-18T15:16:27.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:03.493Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2024:4865",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2024:4865"
              },
              {
                "name": "RHSA-2024:4871",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2024:4871"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2024-6535"
              },
              {
                "name": "RHBZ#2296024",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296024"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/skupperproject/skupper",
              "defaultStatus": "unaffected",
              "packageName": "skupper",
              "versions": [
                {
                  "lessThan": "0.0.0-20240703184342-c26bce4079ff",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-flow-collector-rhel9",
              "product": "Service Interconnect 1.4 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.7-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-service-controller-rhel9",
              "product": "Service Interconnect 1.4 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.7-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-flow-collector-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.5.5-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-service-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.5.5-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1"
              ],
              "defaultStatus": "affected",
              "packageName": "skupper",
              "product": "Red Hat Service Interconnect 1",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-07-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1392",
                  "description": "Use of Default Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T19:54:25.623Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:4865",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:4865"
            },
            {
              "name": "RHSA-2024:4871",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:4871"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-6535"
            },
            {
              "name": "RHBZ#2296024",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296024"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-05T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-07-17T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Skupper: potential authentication bypass to skupper console via forged cookies",
          "x_redhatCweChain": "CWE-1392: Use of Default Credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-6535",
        "datePublished": "2024-07-17T02:25:25.958Z",
        "dateReserved": "2024-07-05T18:48:04.548Z",
        "dateUpdated": "2025-11-20T19:54:25.623Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-5056 (GCVE-0-2023-5056)

    Vulnerability from nvd – Published: 2023-12-18 13:43 – Updated: 2025-11-20 07:02
    VLAI
    Title
    Skupper-operator: privelege escalation via config map
    Summary
    A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2023:6219 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2023-5056 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2239517 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.4.3-5 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.4.3-6 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 2.4.3-3 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.4.3-4 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Date Public
    2023-10-26 14:58
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:44:53.783Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2023:6219",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:6219"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2023-5056"
              },
              {
                "name": "RHBZ#2239517",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-config-sync-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-flow-collector-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-operator-bundle",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-router-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.4.3-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-service-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-4",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-site-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-6",
                  "versionType": "rpm"
                }
              ]
            }
          ],
          "datePublic": "2023-10-26T14:58:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user\u0027s purview."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T07:02:56.903Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2023:6219",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:6219"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2023-5056"
            },
            {
              "name": "RHBZ#2239517",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-09-12T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2023-10-26T14:58:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Skupper-operator: privelege escalation via config map",
          "x_redhatCweChain": "CWE-862: Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2023-5056",
        "datePublished": "2023-12-18T13:43:07.807Z",
        "dateReserved": "2023-09-18T18:33:13.584Z",
        "dateUpdated": "2025-11-20T07:02:56.903Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12582 (GCVE-0-2024-12582)

    Vulnerability from cvelistv5 – Published: 2024-12-24 03:31 – Updated: 2026-06-18 08:31
    VLAI
    Title
    Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service
    Summary
    A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-305 - Authentication Bypass by Primary Weakness
    Assigner
    Impacted products
    Vendor Product Version
    Affected: 0 , < 1.8.3 (semver)
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.8.3-1 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 2.7.3-1 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Red Hat Service Interconnect 1     cpe:/a:redhat:service_interconnect:1
    Create a notification for this product.
    Date Public
    2024-12-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12582",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-16T18:13:55.863080Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-16T18:13:59.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/skupperproject/skupper/",
              "defaultStatus": "unaffected",
              "packageName": "skupper",
              "versions": [
                {
                  "lessThan": "1.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-config-sync-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-controller-podman-container-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-controller-podman-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-flow-collector-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-operator-bundle",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-router-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.7.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-service-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-site-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.8.3-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1"
              ],
              "defaultStatus": "unaffected",
              "packageName": "skupper-cli",
              "product": "Red Hat Service Interconnect 1",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-12-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the skupper console,  a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T08:31:49.281Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:1413",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1413"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-12582"
            },
            {
              "name": "RHBZ#2333540",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540"
            },
            {
              "url": "https://github.com/skupperproject/skupper/pull/1833"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-12-20T17:33:05.858Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-12-20T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service",
          "workarounds": [
            {
              "lang": "en",
              "value": "For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use \"unsecured\" where authentication is not a primary concern."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-12582",
        "datePublished": "2024-12-24T03:31:24.896Z",
        "dateReserved": "2024-12-12T17:10:04.729Z",
        "dateUpdated": "2026-06-18T08:31:49.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6535 (GCVE-0-2024-6535)

    Vulnerability from cvelistv5 – Published: 2024-07-17 02:25 – Updated: 2025-11-20 19:54
    VLAI
    Title
    Skupper: potential authentication bypass to skupper console via forged cookies
    Summary
    A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2024:4865 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2024:4871 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-6535 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2296024 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 0 , < 0.0.0-20240703184342-c26bce4079ff (custom)
    Red Hat Service Interconnect 1.4 for RHEL 9 Unaffected: 1.4.7-1 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1.4::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.5.5-1 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Red Hat Service Interconnect 1     cpe:/a:redhat:service_interconnect:1
    Create a notification for this product.
    Date Public
    2024-07-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6535",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T15:24:58.883446Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-18T15:16:27.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:03.493Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2024:4865",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2024:4865"
              },
              {
                "name": "RHSA-2024:4871",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2024:4871"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2024-6535"
              },
              {
                "name": "RHBZ#2296024",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296024"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/skupperproject/skupper",
              "defaultStatus": "unaffected",
              "packageName": "skupper",
              "versions": [
                {
                  "lessThan": "0.0.0-20240703184342-c26bce4079ff",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-flow-collector-rhel9",
              "product": "Service Interconnect 1.4 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.7-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-service-controller-rhel9",
              "product": "Service Interconnect 1.4 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.7-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-flow-collector-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.5.5-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-service-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.5.5-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1"
              ],
              "defaultStatus": "affected",
              "packageName": "skupper",
              "product": "Red Hat Service Interconnect 1",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-07-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1392",
                  "description": "Use of Default Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T19:54:25.623Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:4865",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:4865"
            },
            {
              "name": "RHSA-2024:4871",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:4871"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-6535"
            },
            {
              "name": "RHBZ#2296024",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296024"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-05T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-07-17T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Skupper: potential authentication bypass to skupper console via forged cookies",
          "x_redhatCweChain": "CWE-1392: Use of Default Credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-6535",
        "datePublished": "2024-07-17T02:25:25.958Z",
        "dateReserved": "2024-07-05T18:48:04.548Z",
        "dateUpdated": "2025-11-20T19:54:25.623Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-5056 (GCVE-0-2023-5056)

    Vulnerability from cvelistv5 – Published: 2023-12-18 13:43 – Updated: 2025-11-20 07:02
    VLAI
    Title
    Skupper-operator: privelege escalation via config map
    Summary
    A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2023:6219 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2023-5056 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2239517 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.4.3-5 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.4.3-6 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 2.4.3-3 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Red Hat Service Interconnect 1 for RHEL 9 Unaffected: 1.4.3-4 , < * (rpm)
        cpe:/a:redhat:service_interconnect:1::el9
    Create a notification for this product.
    Date Public
    2023-10-26 14:58
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:44:53.783Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2023:6219",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:6219"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2023-5056"
              },
              {
                "name": "RHBZ#2239517",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-config-sync-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-flow-collector-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-operator-bundle",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-router-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.4.3-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-service-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-4",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:service_interconnect:1::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "service-interconnect/skupper-site-controller-rhel9",
              "product": "Service Interconnect 1 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.4.3-6",
                  "versionType": "rpm"
                }
              ]
            }
          ],
          "datePublic": "2023-10-26T14:58:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user\u0027s purview."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T07:02:56.903Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2023:6219",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:6219"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2023-5056"
            },
            {
              "name": "RHBZ#2239517",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239517"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-09-12T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2023-10-26T14:58:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Skupper-operator: privelege escalation via config map",
          "x_redhatCweChain": "CWE-862: Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2023-5056",
        "datePublished": "2023-12-18T13:43:07.807Z",
        "dateReserved": "2023-09-18T18:33:13.584Z",
        "dateUpdated": "2025-11-20T07:02:56.903Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }