Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7079", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-07-24T13:29:26.277Z", "datePublished": "2024-07-24T15:51:36.331Z", "dateUpdated": "2024-12-03T20:22:49.051Z"}, "containers": {"cna": {"title": "Openshift-console: unauthenticated installation of helm charts", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 3.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift3/ose-console", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openshift:3.11"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift4/ose-console", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-7079", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2299678", "name": "RHBZ#2299678", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-07-24T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-306: Missing Authentication for Critical Function", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-07-24T13:07:17+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-07-24T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Thibault Guittet (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-12-03T20:22:49.051Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T18:09:26.434060Z", "id": "CVE-2024-7079", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T18:09:33.310Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:52:30.604Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-7079", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2299678", "name": "RHBZ#2299678", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}