CVE-2024-12582 - Vulnerability Details - OpenCVE

Description

A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.

Published: 2024-12-24

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0`	affected	< 1.8.3

Red Hat

Service Interconnect 1 for RHEL 9

affected

Version	Status	Constraints
`1.8.3-1`	unaffected	< *

Red Hat

Service Interconnect 1 for RHEL 9

affected

Version	Status	Constraints
`1.8.3-1`	unaffected	< *

Red Hat

Service Interconnect 1 for RHEL 9

affected

Version	Status	Constraints
`1.8.3-1`	unaffected	< *

Red Hat

Service Interconnect 1 for RHEL 9

affected

Version	Status	Constraints
`1.8.3-1`	unaffected	< *

Red Hat

Service Interconnect 1 for RHEL 9

affected

Version	Status	Constraints
`1.8.3-1`	unaffected	< *

Red Hat

Service Interconnect 1 for RHEL 9

affected

Version	Status	Constraints
`2.7.3-1`	unaffected	< *

Red Hat

Service Interconnect 1 for RHEL 9

affected

Version	Status	Constraints
`1.8.3-1`	unaffected	< *

Red Hat

Service Interconnect 1 for RHEL 9

affected

Version	Status	Constraints
`1.8.3-1`	unaffected	< *

No data.

Package	CPE	Advisory	Released Date
Service Interconnect 1 for RHEL 9
service-interconnect/skupper-config-sync-rhel9:1.8.3-1	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2025:1413	2025-02-13T00:00:00Z
service-interconnect/skupper-controller-podman-container-rhel9:1.8.3-1	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2025:1413	2025-02-13T00:00:00Z
service-interconnect/skupper-controller-podman-rhel9:1.8.3-1	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2025:1413	2025-02-13T00:00:00Z
service-interconnect/skupper-flow-collector-rhel9:1.8.3-1	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2025:1413	2025-02-13T00:00:00Z
service-interconnect/skupper-operator-bundle:1.8.3-1	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2025:1413	2025-02-13T00:00:00Z
service-interconnect/skupper-router-rhel9:2.7.3-1	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2025:1413	2025-02-13T00:00:00Z
service-interconnect/skupper-service-controller-rhel9:1.8.3-1	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2025:1413	2025-02-13T00:00:00Z
service-interconnect/skupper-site-controller-rhel9:1.8.3-1	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2025:1413	2025-02-13T00:00:00Z

No data available yet.

Remediation

Vendor Workaround

For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use "unsecured" where authentication is not a primary concern.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-50973	A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00151.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:1413
https://access.redhat.com/security/cve/CVE-2024-12582
https://bugzilla.redhat.com/show_bug.cgi?id=2333540
https://github.com/skupperproject/skupper/pull/1833
https://nvd.nist.gov/vuln/detail/CVE-2024-12582
https://www.cve.org/CVERecord?id=CVE-2024-12582

History

Wed, 06 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/skupperproject/skupper/pull/1833

Fri, 16 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 13 Feb 2025 14:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:service_interconnect:1~~	cpe:/a:redhat:service_interconnect:1::el9
References		https://access.redhat.com/errata/RHSA-2025:1413

Tue, 24 Dec 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Dec 2024 03:45:00 +0000

Type	Values Removed	Values Added
Title	skupper: skupper-cli: Flawed authentication method may lead to arbitrary file read or Denial of Service	Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service
First Time appeared		Redhat Redhat service Interconnect
CPEs		cpe:/a:redhat:service_interconnect:1
Vendors & Products		Redhat Redhat service Interconnect
References		https://access.redhat.com/security/cve/CVE-2024-12582 https://bugzilla.redhat.com/show_bug.cgi?id=2333540

Tue, 24 Dec 2024 02:15:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.

Sat, 21 Dec 2024 02:00:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		skupper: skupper-cli: Flawed authentication method may lead to arbitrary file read or Denial of Service
Weaknesses		CWE-305
References		https://nvd.nist.gov/vuln/detail/CVE-2024-12582 https://www.cve.org/CVERecord?id=CVE-2024-12582
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}` threat_severity `Important`

Subscriptions

Redhat Service Interconnect

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-12-24T03:31:24.896Z

Updated: 2026-05-06T16:47:35.179Z

Reserved: 2024-12-12T17:10:04.729Z

Link: CVE-2024-12582

Vulnrichment

Updated: 2024-12-24T15:41:53.334Z

NVD

Status : Deferred

Published: 2024-12-24T04:15:05.137

Modified: 2026-05-06T17:16:18.833

Link: CVE-2024-12582

Redhat

Severity : Important

Publid Date: 2024-12-20T00:00:00Z

Links: CVE-2024-12582 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-305

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-12582", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-12-12T17:10:04.729Z", "datePublished": "2024-12-24T03:31:24.896Z", "dateUpdated": "2026-05-06T16:47:35.179Z"}, "containers": {"cna": {"title": "Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "1.8.3", "versionType": "semver"}], "packageName": "skupper", "collectionURL": "https://github.com/skupperproject/skupper/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-config-sync-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-controller-podman-container-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-controller-podman-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-flow-collector-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-router-rhel9", "defaultStatus": "affected", "versions": [{"version": "2.7.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-service-controller-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}, {"vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "service-interconnect/skupper-site-controller-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.8.3-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:service_interconnect:1::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:1413", "name": "RHSA-2025:1413", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-12582", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540", "name": "RHBZ#2333540", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/skupperproject/skupper/pull/1833"}], "datePublic": "2024-12-20T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "description": "Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness", "workarounds": [{"lang": "en", "value": "For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use \"unsecured\" where authentication is not a primary concern."}], "timeline": [{"lang": "en", "time": "2024-12-20T17:33:05.858Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-12-20T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-06T16:47:35.179Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-16T18:13:55.863080Z", "id": "CVE-2024-12582", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-16T18:13:59.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12582", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-16T18:13:55.863080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-24T15:41:53.334Z"}}], "cna": {"title": "Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "1.8.3", "versionType": "semver"}], "packageName": "skupper", "collectionURL": "https://github.com/skupperproject/skupper/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-config-sync-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-controller-podman-container-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-controller-podman-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-flow-collector-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "2.7.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-router-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-service-controller-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_interconnect:1::el9"], "vendor": "Red Hat", "product": "Service Interconnect 1 for RHEL 9", "versions": [{"status": "unaffected", "version": "1.8.3-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "service-interconnect/skupper-site-controller-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-12-20T17:33:05.858Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-12-20T00:00:00.000Z", "value": "Made public."}], "datePublic": "2024-12-20T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:1413", "name": "RHSA-2025:1413", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-12582", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540", "name": "RHBZ#2333540", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/skupperproject/skupper/pull/1833"}], "workarounds": [{"lang": "en", "value": "For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use \"unsecured\" where authentication is not a primary concern."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-305", "description": "Authentication Bypass by Primary Weakness"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-06T16:47:35.179Z"}, "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness"}}, "cveMetadata": {"cveId": "CVE-2024-12582", "state": "PUBLISHED", "dateUpdated": "2026-05-06T16:47:35.179Z", "dateReserved": "2024-12-12T17:10:04.729Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-12-24T03:31:24.896Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la consola del cl\u00faster, una interfaz de solo lectura que muestra la red del cl\u00faster, detalles de tr\u00e1fico y m\u00e9tricas para una aplicaci\u00f3n de red que un usuario configura en un entorno h\u00edbrido de m\u00faltiples nubes. Cuando se utiliza el m\u00e9todo de autenticaci\u00f3n predeterminado, se genera una contrase\u00f1a aleatoria para el usuario \"admin\" y se conserva en un secreto de Kubernetes o en un volumen podman en un archivo de texto plano. Este m\u00e9todo de autenticaci\u00f3n puede ser manipulado por un atacante, lo que lleva a la lectura de cualquier archivo legible por el usuario en el sistema de archivos contenedor, lo que afecta directamente la confidencialidad de los datos. Adem\u00e1s, el atacante puede inducir a la recopilaci\u00f3n a leer archivos extremadamente grandes en la memoria, lo que provoca el agotamiento de los recursos y un ataque de denegaci\u00f3n de servicio."}], "id": "CVE-2024-12582", "lastModified": "2026-05-06T17:16:18.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-12-24T04:15:05.137", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:1413"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-12582"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540"}, {"source": "secalert@redhat.com", "url": "https://github.com/skupperproject/skupper/pull/1833"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-305"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-container-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-operator-bundle:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-router-rhel9:2.7.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1413", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.8.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}], "bugzilla": {"description": "skupper: skupper-cli: Flawed authentication method may lead to arbitrary file read or Denial of Service", "id": "2333540", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333540"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "verified"}, "cwe": "CWE-305", "details": ["A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.", "A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the \"admin\" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack."], "mitigation": {"lang": "en:us", "value": "For users running skupper on Red Hat OpenShift, the OpenShift authentication should be used. Otherwise, use \"unsecured\" where authentication is not a primary concern."}, "name": "CVE-2024-12582", "public_date": "2024-12-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-12582\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12582"], "statement": "This vulnerability is rated as an Important severity due to the risk of data confidentiality breaches and potential denial-of-service attacks where attackers can manipulate the default authentication method to access sensitive files and exhaust system resources by reading large files, affecting both data integrity and service availability in hybrid multi-cloud environments.", "threat_severity": "Important"}