CVE-2024-12582

HIGH EPSS 37.8%

Published Dec 24, 20241y ago · Modified Jun 18, 20261w ago

7.1 CVSS 3.1

High

Published Dec 24, 2024 1y ago

Last Modified Jun 18, 2026 1w ago

Description

A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.

CVSS Details

Base Score

7.1

Exploitability

2.8

Impact

4.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

37.8% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-305

References 4

access.redhat.com https://access.redhat.com/errata/RHSA-2025:1413
access.redhat.com https://access.redhat.com/security/cve/CVE-2024-12582
bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2333540
github.com https://github.com/skupperproject/skupper/pull/1833

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.