*Problem Summary*: WebInspect has identified that the application under test using the OAuth2 protocol is using an insufficient entropy in the state parameter value in the workflow. This introduces a CSRF vulnerability in the context of the OAuth process, and gives the ability to login to the victim’s current application account using a third-party account without any restrictions. In authorization code type and implicit grant type, the OAuth protocol is vulnerable to a CSRF attack if the state parameter is used inefficiently. An attacker can perform a normal OAuth2 process and get the redirection URL that contains the authorization code of the third-party. The attacker can bind his account to victim’s account for the vulnerable application by enticing a victim to access this URL. If the state parameter is set in the redirection URL but without sufficient entropy, then an attacker can predict the user’s state parameter and forge reliable a redirection URL to induce the victim to access and implement CSRF attack. In this case WebInspect detetced that the session is using OAuth2 and insert an state parameter in the query variables: 5189522f as CSRF token. However, the WebInspect has found that the value of state parameter maybe guessable to be predicted. The attacker could predict the next token of the user and then get it exploited. *Steps to reproduce*: - Initiate the OAuth2 binding process - Extract the state parameter value in the redirection URL to the authorization server - Repeat the previous steps again and get a new state parameter value - Try to analyze the order between two state parameters and predict the victim’s state parameter value - Finished logging into authorization server - The authorization server attempts to redirect the user to the client application, do not follow the redirection - Modify the state parameter value with a predicted value to which the victim might be assigned. - Send the redirection URL with the predicted state parameter value to the victim who is now in login status of the client application - Note if the victim’s client application account is bound to the attacker’s third-party account. *Implication*: The attacker can gain access to other user’s accounts and access sensitive information of the profile, or perform arbitrary actions using the victim’s account. *Suggestions*: Improve the entropy of state parameter value.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:8415 https://access.redhat.com/errata/RHSA-2024:8415
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:8991 https://access.redhat.com/errata/RHSA-2024:8991
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:9620 https://access.redhat.com/errata/RHSA-2024:9620
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:10813 https://access.redhat.com/errata/RHSA-2024:10813
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2025:0014 https://access.redhat.com/errata/RHSA-2025:0014