CVE-2024-7079— Openshift-console: unauthenticated installation of helm charts

Openshift-console: unauthenticated installation of helm charts

A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

关键功能的认证机制缺失

Red Hat OpenShift Container Platform 访问控制错误漏洞

Red Hat OpenShift Container Platform是美国红帽（Red Hat）公司的一套可帮助企业在物理、虚拟和公共云基础架构之间开发、部署和管理现有基于容器的应用程序的应用平台。 Red Hat OpenShift Container Platform 3.11和Red Hat OpenShift Container Platform 4所有版本存在访问控制错误漏洞，该漏洞源于中间件函数不会验证用户凭据的有效性，导致未经身份验证的用户可以访/API/helm/verify端点。

N/A

N/A