Bug 2299678 (CVE-2024-7079) - CVE-2024-7079 openshift-console: Unauthenticated Installation of Helm Charts
Summary: CVE-2024-7079 openshift-console: Unauthenticated Installation of Helm Charts
Keywords:
Status: NEW
Alias: CVE-2024-7079
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-24 13:26 UTC by Michal Findra
Modified: 2024-08-01 04:04 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Michal Findra 2024-07-24 13:26:57 UTC
The /api/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI (remote http/https or local). Access to this endpoint is gated by the authHandlerWithUser() middleware function, contrary to its name, this middleware function does not check if the user's credentials are valid. This endpoint can therefore be accessed by unauthenticated users.

The impact of this vulnerability is as follows:
An unauthenticated user can cause the console to query arbitrary HTTP/HTTPS URLs.
An unauthenticated user can, by crafting a specific Helm Chart, leak all kubernetes resources accessible by the openshift-console:console service account.
A user with an account – regardless of its privileges – can cause the OpenShift Console to not load for all users. In such an attack, anyone trying to access the Console's web interface will only see a white page after authentication.


Note You need to log in before you can comment on or make changes to this bug.