CVE-2024-6508

HIGH

Openshift Console - CSRF

Title source: llm

Description

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

References (8)

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2295777

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:10813

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:7922

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:8415

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:8991

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:9620

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:0014

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2024-6508

Scores

CVSS v3 8.0

EPSS 0.0099

EPSS Percentile 76.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-331

Status published

Products (7)

openshift/console 0Go

Red Hat/Red Hat OpenShift Container Platform 4.12 v4.12.0-202412201659.p0.g8910d84.assembly.stream.el8

Red Hat/Red Hat OpenShift Container Platform 4.13 v4.13.0-202411300029.p0.g68accd9.assembly.stream.el8

Red Hat/Red Hat OpenShift Container Platform 4.14 v4.14.0-202411131205.p0.g839a801.assembly.stream.el8

Red Hat/Red Hat OpenShift Container Platform 4.15 v4.15.0-202411060036.p0.gd8360d4.assembly.stream.el8

Red Hat/Red Hat OpenShift Container Platform 4.16 v4.16.0-202410231737.p0.gf0870c3.assembly.stream.el9

Red Hat/Red Hat OpenShift Container Platform 4.17 v4.17.0-202410091535.p0.ge61f187.assembly.stream.el9

Published Aug 21, 2024

Tracked Since Feb 18, 2026