x/vulndb: potential Go vuln in github.com/skupperproject/skupper: GHSA-w799-v85j-88pg

GoVulnBot commented 1 month ago

Advisory GHSA-w799-v85j-88pg references a vulnerability in the following Go modules:

Module
github.com/skupperproject/skupper

Description: A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.

References:

Cross references: No existing reports found with this module or alias. See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/skupperproject/skupper
      versions:
        - fixed: 0.0.0-20240703184342-c26bce4079ff
summary: Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper
cves:
    - CVE-2024-6535
ghsas:
    - GHSA-w799-v85j-88pg
references:
    - advisory: https://github.com/advisories/GHSA-w799-v85j-88pg
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6535
    - fix: https://github.com/skupperproject/skupper/commit/d2cb3782e807853694ee66b6e3d4a1917485eb71
    - web: https://access.redhat.com/security/cve/CVE-2024-6535
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2296024
notes:
    - fix: 'github.com/skupperproject/skupper: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-w799-v85j-88pg
    created: 2024-07-17T16:01:20.190137841Z
review_status: UNREVIEWED

gopherbot commented 1 month ago

Change https://go.dev/cl/599457 mentions this issue: data/excluded,data/reports: add 6 reports

gopherbot commented 3 weeks ago

Change https://go.dev/cl/606359 mentions this issue: data/reports: regenerate 50 reports

golang / vulndb

x/vulndb: potential Go vuln in github.com/skupperproject/skupper: GHSA-w799-v85j-88pg #2987