CVE-2024-6508

HIGH

OpenShift Console - Insufficient Entropy in OAuth2 State Parameter

Title source: llm
STIX 2.1

Description

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

References (8)

Core 8
Core References
Issue Tracking issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2295777
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:10813
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:7922
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:8415
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:8991
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:9620
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:0014
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-6508

Scores

CVSS v3 8.0
EPSS 0.0056
EPSS Percentile 41.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-331
Status published
Products (7)
openshift/console 0Go
Red Hat/Red Hat OpenShift Container Platform 4.12 v4.12.0-202412201659.p0.g8910d84.assembly.stream.el8
Red Hat/Red Hat OpenShift Container Platform 4.13 v4.13.0-202411300029.p0.g68accd9.assembly.stream.el8
Red Hat/Red Hat OpenShift Container Platform 4.14 v4.14.0-202411131205.p0.g839a801.assembly.stream.el8
Red Hat/Red Hat OpenShift Container Platform 4.15 v4.15.0-202411060036.p0.gd8360d4.assembly.stream.el8
Red Hat/Red Hat OpenShift Container Platform 4.16 v4.16.0-202410231737.p0.gf0870c3.assembly.stream.el9
Red Hat/Red Hat OpenShift Container Platform 4.17 v4.17.0-202410091535.p0.ge61f187.assembly.stream.el9
Published Aug 21, 2024
Tracked Since Feb 18, 2026