Skupper uses a static cookie secret for the openshift oauth-proxy
High severity
GitHub Reviewed
Published
Jul 17, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
< 0.0.0-20240703184342-c26bce4079ff
Patched versions
0.0.0-20240703184342-c26bce4079ff
Description
Published by the National Vulnerability Database
Jul 17, 2024
Published to the GitHub Advisory Database
Jul 17, 2024
Reviewed
Jul 17, 2024
Last updated
Nov 18, 2024
A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.
References