CVE-2024-6508: Openshift-console: oauth2 insufficient state parameter entropy

Description

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

Classification

CVE ID: CVE-2024-6508

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 15.26% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://access.redhat.com/errata/RHSA-2024:10813
https://access.redhat.com/errata/RHSA-2024:7922
https://access.redhat.com/errata/RHSA-2024:8415
https://access.redhat.com/errata/RHSA-2024:8991
https://access.redhat.com/errata/RHSA-2024:9620
https://access.redhat.com/security/cve/CVE-2024-6508
https://bugzilla.redhat.com/show_bug.cgi?id=2295777

Timeline

2024-12-13 00:30:50 UTC
CVE

Openshift-console: oauth2 insufficient state parameter entropy