CVE-2024-7128

A flaw was found in the OpenShift console. Several endpoints in the application use the authHandler() and authHandlerWithUser() middleware functions. When the default authentication provider ("openShiftAuth") is set, these functions do not perform any authentication checks, relying instead on the targeted service to handle authentication and authorization. This issue leads to various degrees of data exposure due to a lack of proper credential verification.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:4427
https://access.redhat.com/errata/RHSA-2025:4723
https://access.redhat.com/security/cve/CVE-2024-7128
https://bugzilla.redhat.com/show_bug.cgi?id=2300037
https://access.redhat.com/security/cve/CVE-2024-7128
https://bugzilla.redhat.com/show_bug.cgi?id=2300037

Configurations

No configuration.

History

15 May 2025, 02:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2025:4427 - () https://access.redhat.com/errata/RHSA-2025:4723 -

Information

Published : 2024-07-26 14:15

Updated : 2025-05-15 02:15

NVD link : CVE-2024-7128

Mitre link : CVE-2024-7128

CVE.ORG link : CVE-2024-7128

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2024-7128", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-07-26T14:15:03.573", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:4427", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2025:4723", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7128", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2300037", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7128", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2300037", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the OpenShift console. Several endpoints in the application use the authHandler() and authHandlerWithUser() middleware functions. When the default authentication provider (\"openShiftAuth\") is set, these functions do not perform any authentication checks, relying instead on the targeted service to handle authentication and authorization. This issue leads to various degrees of data exposure due to a lack of proper credential verification."}, {"lang": "es", "value": " Se encontr\u00f3 un fallo en la consola Openshift. Varios endpoints de la aplicaci\u00f3n utilizan las funciones de middleware authHandler() y authHandlerWithUser(). Cuando se establece el proveedor de autenticaci\u00f3n predeterminado (\"openShiftAuth\"), estas funciones no realizan ninguna verificaci\u00f3n de autenticaci\u00f3n, sino que dependen del servicio de destino para manejar la autenticaci\u00f3n y la autorizaci\u00f3n. Este problema conduce a diversos grados de exposici\u00f3n de datos debido a la falta de una verificaci\u00f3n de credenciales adecuada."}], "lastModified": "2025-05-15T02:15:21.110", "sourceIdentifier": "secalert@redhat.com"}