2169468 – (CVE-2023-0813) CVE-2023-0813 network-observability-console-plugin-container: setting Loki authToken configuration to DISABLE or HOST mode leads to authentication longer being enforced

Bug 2169468 (CVE-2023-0813) - CVE-2023-0813 network-observability-console-plugin-container: setting Loki authToken configuration to DISABLE or HOST mode leads to authentication longer being enforced

Summary: CVE-2023-0813 network-observability-console-plugin-container: setting Loki au...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-0813
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2169470
TreeView+	depends on / blocked

Reported:	2023-02-13 16:49 UTC by Michael Kaplan
Modified:	2024-04-18 18:34 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Network Observability plugin for OpenShift console. Unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced, allowing any user who can connect to the OpenShift Console in an OpenShift cluster to retrieve flows without authentication.
Clone Of:
Environment:
Last Closed:	2023-02-16 03:42:17 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:0786	0	None	None	None	2023-02-15 11:41:54 UTC

Description Michael Kaplan 2023-02-13 16:49:13 UTC

In the Network Observability plugin for OpenShift console, unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced allowing any user who can connect to the OpenShift Console in an OpenShift cluster to retrieve flows, without authentication.

Comment 2 errata-xmlrpc 2023-02-15 11:41:53 UTC

This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.1.0-RHEL-8

Via RHSA-2023:0786 https://access.redhat.com/errata/RHSA-2023:0786

Comment 3 Product Security DevOps Team 2023-02-16 03:42:15 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0813

Note You need to log in before you can comment on or make changes to this bug.