CVE-2024-6535

Name of the Vulnerable Software and Affected Versions Skupper (affected versions not specified)

Description A flaw was found in Skupper that may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie. This issue arises when Skupper is initialized with the console-enabled and with console-auth set to Openshift, configuring the openshift oauth-proxy with a static cookie-secret. The vulnerability is related to the use of default credentials in certain circumstances.

Recommendations As a temporary workaround, consider disabling the console-auth set to Openshift until a patch is available. Restrict access to the Skupper console to minimize the risk of exploitation. Avoid using the static cookie-secret in the openshift oauth-proxy configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.