An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat OpenShift Container Platform 4.12 | RedHat | openshift4/ose-console:v4.12.0-202412201659.p0.g8910d84.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/ose-console:v4.13.0-202411300029.p0.g68accd9.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | openshift4/ose-console:v4.14.0-202411131205.p0.g839a801.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | openshift4/ose-console:v4.15.0-202411060036.p0.gd8360d4.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | openshift4/ose-console-rhel9:v4.16.0-202410231737.p0.gf0870c3.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-console-rhel9:v4.17.0-202410091535.p0.ge61f187.assembly.stream.el9 | * |