CVE-2024-7079

Openshift-console: unauthenticated installation of helm charts

Description

A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint.

Remediation

Workaround:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Tags
https://access.redhat.com/security/cve/CVE-2024-7079	vdb entry vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2299678	issue tracking

Frequently Asked Questions

What is the severity of CVE-2024-7079?: CVE-2024-7079 has been scored as a medium severity vulnerability.
How to fix CVE-2024-7079?: As a workaround for remediating CVE-2024-7079: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Is CVE-2024-7079 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-7079 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-7079?: CVE-2024-7079 affects Red Hat Red Hat OpenShift Container Platform 3.11, Red Hat Red Hat OpenShift Container Platform 4.

Description

Remediation

Category

CWE-306 – Missing Authentication for Critical Function

References

Frequently Asked Questions