{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12582", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-12-12T17:10:04.729Z", "datePublished": "2024-12-24T03:31:24.896Z", "dateUpdated": "2025-02-13T20:00:50.048Z"}, "containers": {"cna": {"title": "Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."}], "affected": [{"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-config-sync-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-controller-podman-container-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-controller-podman-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-flow-collector-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-router-rhel9", "defaultStatus": "affected", "versions": [{"version": "2.7.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-service-controller-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-site-controller-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:1413", "name": "RHSA-2025:1413", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-12582", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540", "name": "RHBZ#2333540", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-12-20T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "description": "Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness", "workarounds": [{"lang": "en", "value": "For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use \"unsecured\" where authentication is not a primary concern."}], "timeline": [{"lang": "en", "time": "2024-12-20T17:33:05.858000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-12-20T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-13T20:00:50.048Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-24T15:41:49.727197Z", "id": "CVE-2024-12582", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-24T15:41:56.899Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12582", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-24T15:41:49.727197Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-24T15:41:53.334Z"}}], "cna": {"title": "Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-config-sync-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-controller-podman-container-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-controller-podman-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-flow-collector-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "2.7.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-router-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-service-controller-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-site-controller-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-12-20T17:33:05.858000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-12-20T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-12-20T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:1413", "name": "RHSA-2025:1413", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-12582", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540", "name": "RHBZ#2333540", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use \"unsecured\" where authentication is not a primary concern."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-305", "description": "Authentication Bypass by Primary Weakness"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-13T20:00:50.048Z"}, "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness"}}, "cveMetadata": {"cveId": "CVE-2024-12582", "state": "PUBLISHED", "dateUpdated": "2025-02-13T20:00:50.048Z", "dateReserved": "2024-12-12T17:10:04.729Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-12-24T03:31:24.896Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la consola del cl\u00faster, una interfaz de solo lectura que muestra la red del cl\u00faster, detalles de tr\u00e1fico y m\u00e9tricas para una aplicaci\u00f3n de red que un usuario configura en un entorno h\u00edbrido de m\u00faltiples nubes. Cuando se utiliza el m\u00e9todo de autenticaci\u00f3n predeterminado, se genera una contrase\u00f1a aleatoria para el usuario \"admin\" y se conserva en un secreto de Kubernetes o en un volumen podman en un archivo de texto plano. Este m\u00e9todo de autenticaci\u00f3n puede ser manipulado por un atacante, lo que lleva a la lectura de cualquier archivo legible por el usuario en el sistema de archivos contenedor, lo que afecta directamente la confidencialidad de los datos. Adem\u00e1s, el atacante puede inducir a la recopilaci\u00f3n a leer archivos extremadamente grandes en la memoria, lo que provoca el agotamiento de los recursos y un ataque de denegaci\u00f3n de servicio."}], "id": "CVE-2024-12582", "lastModified": "2025-02-13T14:15:28.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-12-24T04:15:05.137", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:1413"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-12582"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-305"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-container-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-operator-bundle:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-router-rhel9:2.7.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}], "bugzilla": {"description": "skupper: skupper-cli: Flawed authentication method may lead to arbitrary file read or Denial of Service", "id": "2333540", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "verified"}, "cwe": "CWE-305", "details": ["A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.", "A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."], "mitigation": {"lang": "en:us", "value": "For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use \"unsecured\" where authentication is not a primary concern."}, "name": "CVE-2024-12582", "public_date": "2024-12-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-12582\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12582"], "statement": "This vulnerability is rated as an Important severity due to the risk of data confidentiality breaches and potential denial-of-service attacks where attackers can manipulate the default authentication method to access sensitive files and exhaust system resources by reading large files, affecting both data integrity and service availability in hybrid multi-cloud environments.", "threat_severity": "Important"}