A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.
Fixes

Solution

No solution given by the vendor.


Workaround

For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use "unsecured" where authentication is not a primary concern.

History

Fri, 16 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 13 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:service_interconnect:1 cpe:/a:redhat:service_interconnect:1::el9
References

Tue, 24 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 24 Dec 2024 03:45:00 +0000

Type Values Removed Values Added
Title skupper: skupper-cli: Flawed authentication method may lead to arbitrary file read or Denial of Service Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service
First Time appeared Redhat
Redhat service Interconnect
CPEs cpe:/a:redhat:service_interconnect:1
Vendors & Products Redhat
Redhat service Interconnect
References

Tue, 24 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.

Sat, 21 Dec 2024 02:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title skupper: skupper-cli: Flawed authentication method may lead to arbitrary file read or Denial of Service
Weaknesses CWE-305
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-27T12:22:46.755Z

Reserved: 2024-12-12T17:10:04.729Z

Link: CVE-2024-12582

cve-icon Vulnrichment

Updated: 2024-12-24T15:41:53.334Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-12-24T04:15:05.137

Modified: 2025-02-13T14:15:28.700

Link: CVE-2024-12582

cve-icon Redhat

Severity : Important

Publid Date: 2024-12-20T00:00:00Z

Links: CVE-2024-12582 - Bugzilla

cve-icon OpenCVE Enrichment

No data.