Описание
A flaw was found in the OpenShift console. Several endpoints in the application use the authHandler() and authHandlerWithUser() middleware functions. When the default authentication provider ("openShiftAuth") is set, these functions do not perform any authentication checks, relying instead on the targeted service to handle authentication and authorization. This issue leads to various degrees of data exposure due to a lack of proper credential verification.
Отчет
This issue is classified as moderate severity rather than important because while it allows unauthorized access to certain endpoints, the exposure is limited to non-critical or low-impact data. The endpoints in question, such as /api/console/version and /api/plugins/, do not provide access to highly sensitive information or critical system functionality that could directly compromise the integrity, confidentiality, or availability of the system. Additionally, since authentication is still handled by the service, the risk of widespread unauthorized access is mitigated.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-console | Out of support scope | ||
| Red Hat OpenShift Container Platform 4.16 | openshift4/ose-console-rhel9 | Fixed | RHSA-2025:13336 | 13.08.2025 |
| Red Hat OpenShift Container Platform 4.17 | openshift4/ose-console-rhel9 | Fixed | RHSA-2025:4723 | 15.05.2025 |
| Red Hat OpenShift Container Platform 4.18 | openshift4/ose-console-rhel9 | Fixed | RHSA-2025:4427 | 09.05.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A flaw was found in the OpenShift console. Several endpoints in the application use the authHandler() and authHandlerWithUser() middleware functions. When the default authentication provider ("openShiftAuth") is set, these functions do not perform any authentication checks, relying instead on the targeted service to handle authentication and authorization. This issue leads to various degrees of data exposure due to a lack of proper credential verification.
A flaw was found in the Openshift console. Several endpoints in the application use the authHandler() and authHandlerWithUser() middleware functions. When the default authentication provider ("openShiftAuth") is set, these functions do not perform any authentication checks, relying instead on the targeted service to handle authentication and authorization. This issue leads to various degrees of data exposure due to a lack of proper credential verification.
EPSS
5.3 Medium
CVSS3