CVE-2024-5037 - Vulnerability Details

Vendors	Products
Redhat	Logging Openshift Openshift Container Platform Openshift Distributed Tracing

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 4.12
openshift4/ose-telemeter:v4.12.0-202408071159.p0.gc9592de.assembly.stream.el8	cpe:/a:redhat:openshift:4.12::el8	RHSA-2024:5200	2024-08-19T00:00:00Z
Red Hat OpenShift Container Platform 4.13
openshift4/ose-telemeter:v4.13.0-202407081338.p0.g0634a6d.assembly.stream.el8	cpe:/a:redhat:openshift:4.13::el8	RHSA-2024:4484	2024-07-17T00:00:00Z
Red Hat OpenShift Container Platform 4.14
openshift4/ose-telemeter:v4.14.0-202407021509.p0.g1f72681.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2024:4329	2024-07-11T00:00:00Z
Red Hat OpenShift Container Platform 4.15
openshift4/ose-telemeter-rhel9:v4.15.0-202406200537.p0.g14489f7.assembly.stream.el9	cpe:/a:redhat:openshift:4.15::el9	RHSA-2024:4151	2024-07-02T00:00:00Z
Red Hat OpenShift Container Platform 4.16
openshift4/ose-telemeter-rhel9:v4.16.0-202406200537.p0.gc1ecd10.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2024:4156	2024-07-03T00:00:00Z

Link	Providers
https://access.redhat.com/errata/RHSA-2024:4151
https://access.redhat.com/errata/RHSA-2024:4156
https://access.redhat.com/errata/RHSA-2024:4329
https://access.redhat.com/errata/RHSA-2024:4484
https://access.redhat.com/errata/RHSA-2024:5200
https://access.redhat.com/security/cve/CVE-2024-5037
https://bugzilla.redhat.com/show_bug.cgi?id=2272339
https://github.com/kubernetes/kubernetes/pull/123540
https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78
https://nvd.nist.gov/vuln/detail/CVE-2024-5037
https://www.cve.org/CVERecord?id=CVE-2024-5037

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_distributed_tracing:3

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.12::el8 cpe:/a:redhat:openshift:4.12::el9
References		https://access.redhat.com/errata/RHSA-2024:5200

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5037", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-05-16T22:03:32.375Z", "datePublished": "2024-06-05T18:03:23.194Z", "dateUpdated": "2025-02-06T08:30:19.750Z"}, "containers": {"cna": {"title": "Openshift/telemeter: iss check during jwt authentication can be bypassed", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue (\"iss\") check during JSON web token (JWT) authentication."}], "affected": [{"versions": [{"status": "affected", "version": "4.16", "lessThan": "4.17", "versionType": "semver"}], "packageName": "telemeter", "collectionURL": "https://github.com/openshift/telemeter", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.12", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-telemeter", "defaultStatus": "affected", "versions": [{"version": "v4.12.0-202408071159.p0.gc9592de.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.12::el8", "cpe:/a:redhat:openshift:4.12::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-telemeter", "defaultStatus": "affected", "versions": [{"version": "v4.13.0-202407081338.p0.g0634a6d.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-telemeter", "defaultStatus": "affected", "versions": [{"version": "v4.14.0-202407021509.p0.g1f72681.assembly.stream.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.14::el9", "cpe:/a:redhat:openshift:4.14::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-telemeter-rhel9", "defaultStatus": "affected", "versions": [{"version": "v4.15.0-202406200537.p0.g14489f7.assembly.stream.el9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.16", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/ose-telemeter-rhel9", "defaultStatus": "affected", "versions": [{"version": "v4.16.0-202406200537.p0.gc1ecd10.assembly.stream.el9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.16::el9"]}, {"vendor": "Red Hat", "product": "Logging Subsystem for Red Hat OpenShift", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift-logging/opa-openshift-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:logging:5"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhosdt/tempo-gateway-opa-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:2"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhosdt/tempo-gateway-opa-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4151", "name": "RHSA-2024:4151", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4156", "name": "RHSA-2024:4156", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4329", "name": "RHSA-2024:4329", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4484", "name": "RHSA-2024:4484", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:5200", "name": "RHSA-2024:5200", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-5037", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272339", "name": "RHBZ#2272339", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/kubernetes/kubernetes/pull/123540"}, {"url": "https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78"}], "datePublic": "2024-06-05T17:51:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-290: Authentication Bypass by Spoofing", "timeline": [{"lang": "en", "time": "2024-03-30T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-06-05T17:51:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-06T08:30:19.750Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-13T20:15:59.404791Z", "id": "CVE-2024-5037", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-13T20:16:05.375Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:10.506Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4151", "name": "RHSA-2024:4151", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4156", "name": "RHSA-2024:4156", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4329", "name": "RHSA-2024:4329", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4484", "name": "RHSA-2024:4484", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-5037", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272339", "name": "RHBZ#2272339", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/kubernetes/kubernetes/pull/123540", "tags": ["x_transferred"]}, {"url": "https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78", "tags": ["x_transferred"]}]}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2024-5037 (string)

assignerOrgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

state : PUBLISHED (string)

assignerShortName : redhat (string)

dateReserved : 2024-05-16T22:03:32.375Z (string)

datePublished : 2024-06-05T18:03:23.194Z (string)

dateUpdated : 2025-02-06T08:30:19.750Z (string)

}

containers : { »

cna : { »

title : Openshift/telemeter: iss check during jwt authentication can be bypassed (string)

metrics : [ »

0 : { »

other : { »

content : { »

value : Important (string)

namespace : https://access.redhat.com/security/updates/classification/ (string)

}

type : Red Hat severity rating (string)

}

1 : { »

cvssV3_1 : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

format : CVSS (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication. (string)

}

]

affected : [ »

0 : { »

versions : [ »

0 : { »

status : affected (string)

version : 4.16 (string)

lessThan : 4.17 (string)

versionType : semver (string)

}

]

packageName : telemeter (string)

collectionURL : https://github.com/openshift/telemeter (string)

defaultStatus : unaffected (string)

}

1 : { »

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.12 (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

packageName : openshift4/ose-telemeter (string)

defaultStatus : affected (string)

versions : [ »

0 : { »

version : v4.12.0-202408071159.p0.gc9592de.assembly.stream.el8 (string)

lessThan : * (string)

versionType : rpm (string)

status : unaffected (string)

}

]

cpes : [ »

0 : cpe:/a:redhat:openshift:4.12::el8 (string)

1 : cpe:/a:redhat:openshift:4.12::el9 (string)

]

}

2 : { »

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.13 (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

packageName : openshift4/ose-telemeter (string)

defaultStatus : affected (string)

versions : [ »

0 : { »

version : v4.13.0-202407081338.p0.g0634a6d.assembly.stream.el8 (string)

lessThan : * (string)

versionType : rpm (string)

status : unaffected (string)

}

]

cpes : [ »

0 : cpe:/a:redhat:openshift:4.13::el8 (string)

1 : cpe:/a:redhat:openshift:4.13::el9 (string)

]

}

3 : { »

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.14 (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

packageName : openshift4/ose-telemeter (string)

defaultStatus : affected (string)

versions : [ »

0 : { »

version : v4.14.0-202407021509.p0.g1f72681.assembly.stream.el8 (string)

lessThan : * (string)

versionType : rpm (string)

status : unaffected (string)

}

]

cpes : [ »

0 : cpe:/a:redhat:openshift:4.14::el9 (string)

1 : cpe:/a:redhat:openshift:4.14::el8 (string)

]

}

4 : { »

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.15 (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

packageName : openshift4/ose-telemeter-rhel9 (string)

defaultStatus : affected (string)

versions : [ »

0 : { »

version : v4.15.0-202406200537.p0.g14489f7.assembly.stream.el9 (string)

lessThan : * (string)

versionType : rpm (string)

status : unaffected (string)

}

]

cpes : [ »

0 : cpe:/a:redhat:openshift:4.15::el9 (string)

1 : cpe:/a:redhat:openshift:4.15::el8 (string)

]

}

5 : { »

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.16 (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

packageName : openshift4/ose-telemeter-rhel9 (string)

defaultStatus : affected (string)

versions : [ »

0 : { »

version : v4.16.0-202406200537.p0.gc1ecd10.assembly.stream.el9 (string)

lessThan : * (string)

versionType : rpm (string)

status : unaffected (string)

}

]

cpes : [ »

0 : cpe:/a:redhat:openshift:4.16::el9 (string)

]

}

6 : { »

vendor : Red Hat (string)

product : Logging Subsystem for Red Hat OpenShift (string)

collectionURL : https://access.redhat.com/downloads/content/package-browser/ (string)

packageName : openshift-logging/opa-openshift-rhel8 (string)

defaultStatus : unaffected (string)

cpes : [ »

0 : cpe:/a:redhat:logging:5 (string)

]

}

7 : { »

vendor : Red Hat (string)

product : Red Hat OpenShift distributed tracing 2 (string)

collectionURL : https://access.redhat.com/downloads/content/package-browser/ (string)

packageName : rhosdt/tempo-gateway-opa-rhel8 (string)

defaultStatus : affected (string)

cpes : [ »

0 : cpe:/a:redhat:openshift_distributed_tracing:2 (string)

]

}

8 : { »

vendor : Red Hat (string)

product : Red Hat OpenShift distributed tracing 3 (string)

collectionURL : https://access.redhat.com/downloads/content/package-browser/ (string)

packageName : rhosdt/tempo-gateway-opa-rhel8 (string)

defaultStatus : affected (string)

cpes : [ »

0 : cpe:/a:redhat:openshift_distributed_tracing:3 (string)

]

}

]

references : [ »

0 : { »

url : https://access.redhat.com/errata/RHSA-2024:4151 (string)

name : RHSA-2024:4151 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

1 : { »

url : https://access.redhat.com/errata/RHSA-2024:4156 (string)

name : RHSA-2024:4156 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

2 : { »

url : https://access.redhat.com/errata/RHSA-2024:4329 (string)

name : RHSA-2024:4329 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

3 : { »

url : https://access.redhat.com/errata/RHSA-2024:4484 (string)

name : RHSA-2024:4484 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

4 : { »

url : https://access.redhat.com/errata/RHSA-2024:5200 (string)

name : RHSA-2024:5200 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

5 : { »

url : https://access.redhat.com/security/cve/CVE-2024-5037 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_REDHAT (string)

]

}

6 : { »

url : https://bugzilla.redhat.com/show_bug.cgi?id=2272339 (string)

name : RHBZ#2272339 (string)

tags : [ »

0 : issue-tracking (string)

1 : x_refsource_REDHAT (string)

]

}

7 : { »

url : https://github.com/kubernetes/kubernetes/pull/123540 (string)

}

8 : { »

url : https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 (string)

}

]

datePublic : 2024-06-05T17:51:00.000Z (string)

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-290 (string)

description : Authentication Bypass by Spoofing (string)

lang : en (string)

type : CWE (string)

}

]

}

]

x_redhatCweChain : CWE-290: Authentication Bypass by Spoofing (string)

timeline : [ »

0 : { »

lang : en (string)

time : 2024-03-30T00:00:00+00:00 (string)

value : Reported to Red Hat. (string)

}

1 : { »

lang : en (string)

time : 2024-06-05T17:51:00+00:00 (string)

value : Made public. (string)

}

]

providerMetadata : { »

orgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

shortName : redhat (string)

dateUpdated : 2025-02-06T08:30:19.750Z (string)

}

adp : [ »

0 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2024-07-13T20:15:59.404791Z (string)

id : CVE-2024-5037 (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-07-13T20:16:05.375Z (string)

}

1 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-01T21:03:10.506Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://access.redhat.com/errata/RHSA-2024:4151 (string)

name : RHSA-2024:4151 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

1 : { »

url : https://access.redhat.com/errata/RHSA-2024:4156 (string)

name : RHSA-2024:4156 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

2 : { »

url : https://access.redhat.com/errata/RHSA-2024:4329 (string)

name : RHSA-2024:4329 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

3 : { »

url : https://access.redhat.com/errata/RHSA-2024:4484 (string)

name : RHSA-2024:4484 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

4 : { »

url : https://access.redhat.com/security/cve/CVE-2024-5037 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

5 : { »

url : https://bugzilla.redhat.com/show_bug.cgi?id=2272339 (string)

name : RHBZ#2272339 (string)

tags : [ »

0 : issue-tracking (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

6 : { »

url : https://github.com/kubernetes/kubernetes/pull/123540 (string)

tags : [ »

0 : x_transferred (string)

]

}

7 : { »

url : https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4151", "name": "RHSA-2024:4151", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4156", "name": "RHSA-2024:4156", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4329", "name": "RHSA-2024:4329", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4484", "name": "RHSA-2024:4484", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-5037", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272339", "name": "RHBZ#2272339", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/kubernetes/kubernetes/pull/123540", "tags": ["x_transferred"]}, {"url": "https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:10.506Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5037", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-13T20:15:59.404791Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-13T20:16:02.580Z"}}], "cna": {"title": "Openshift/telemeter: iss check during jwt authentication can be bypassed", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "4.16", "lessThan": "4.17", "versionType": "semver"}], "packageName": "telemeter", "collectionURL": "https://github.com/openshift/telemeter", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4.12::el8", "cpe:/a:redhat:openshift:4.12::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.12", "versions": [{"status": "unaffected", "version": "v4.12.0-202408071159.p0.gc9592de.assembly.stream.el8", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-telemeter", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "versions": [{"status": "unaffected", "version": "v4.13.0-202407081338.p0.g0634a6d.assembly.stream.el8", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-telemeter", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.14::el9", "cpe:/a:redhat:openshift:4.14::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "versions": [{"status": "unaffected", "version": "v4.14.0-202407021509.p0.g1f72681.assembly.stream.el8", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-telemeter", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "versions": [{"status": "unaffected", "version": "v4.15.0-202406200537.p0.g14489f7.assembly.stream.el9", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-telemeter-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.16::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.16", "versions": [{"status": "unaffected", "version": "v4.16.0-202406200537.p0.gc1ecd10.assembly.stream.el9", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/ose-telemeter-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:logging:5"], "vendor": "Red Hat", "product": "Logging Subsystem for Red Hat OpenShift", "packageName": "openshift-logging/opa-openshift-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:2"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 2", "packageName": "rhosdt/tempo-gateway-opa-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "packageName": "rhosdt/tempo-gateway-opa-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-03-30T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-06-05T17:51:00+00:00", "value": "Made public."}], "datePublic": "2024-06-05T17:51:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4151", "name": "RHSA-2024:4151", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4156", "name": "RHSA-2024:4156", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4329", "name": "RHSA-2024:4329", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4484", "name": "RHSA-2024:4484", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:5200", "name": "RHSA-2024:5200", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-5037", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272339", "name": "RHBZ#2272339", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/kubernetes/kubernetes/pull/123540"}, {"url": "https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78"}], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue (\"iss\") check during JSON web token (JWT) authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-06T08:30:19.750Z"}, "x_redhatCweChain": "CWE-290: Authentication Bypass by Spoofing"}}, "cveMetadata": {"cveId": "CVE-2024-5037", "state": "PUBLISHED", "dateUpdated": "2025-02-06T08:30:19.750Z", "dateReserved": "2024-05-16T22:03:32.375Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-06-05T18:03:23.194Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://access.redhat.com/errata/RHSA-2024:4151 (string)

name : RHSA-2024:4151 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

1 : { »

url : https://access.redhat.com/errata/RHSA-2024:4156 (string)

name : RHSA-2024:4156 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

2 : { »

url : https://access.redhat.com/errata/RHSA-2024:4329 (string)

name : RHSA-2024:4329 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

3 : { »

url : https://access.redhat.com/errata/RHSA-2024:4484 (string)

name : RHSA-2024:4484 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

4 : { »

url : https://access.redhat.com/security/cve/CVE-2024-5037 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

5 : { »

url : https://bugzilla.redhat.com/show_bug.cgi?id=2272339 (string)

name : RHBZ#2272339 (string)

tags : [ »

0 : issue-tracking (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

}

6 : { »

url : https://github.com/kubernetes/kubernetes/pull/123540 (string)

tags : [ »

0 : x_transferred (string)

]

}

7 : { »

url : https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-01T21:03:10.506Z (string)

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-5037 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-07-13T20:15:59.404791Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-07-13T20:16:02.580Z (string)

}

]

cna : { »

title : Openshift/telemeter: iss check during jwt authentication can be bypassed (string)

metrics : [ »

0 : { »

other : { »

type : Red Hat severity rating (string)

content : { »

value : Important (string)

namespace : https://access.redhat.com/security/updates/classification/ (string)

}

1 : { »

format : CVSS (string)

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 7.5 (number)

attackVector : NETWORK (string)

baseSeverity : HIGH (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

integrityImpact : NONE (string)

userInteraction : NONE (string)

attackComplexity : LOW (string)

availabilityImpact : NONE (string)

privilegesRequired : NONE (string)

confidentialityImpact : HIGH (string)

}

]

affected : [ »

0 : { »

versions : [ »

0 : { »

status : affected (string)

version : 4.16 (string)

lessThan : 4.17 (string)

versionType : semver (string)

}

]

packageName : telemeter (string)

collectionURL : https://github.com/openshift/telemeter (string)

defaultStatus : unaffected (string)

}

1 : { »

cpes : [ »

0 : cpe:/a:redhat:openshift:4.12::el8 (string)

1 : cpe:/a:redhat:openshift:4.12::el9 (string)

]

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.12 (string)

versions : [ »

0 : { »

status : unaffected (string)

version : v4.12.0-202408071159.p0.gc9592de.assembly.stream.el8 (string)

lessThan : * (string)

versionType : rpm (string)

}

]

packageName : openshift4/ose-telemeter (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

defaultStatus : affected (string)

}

2 : { »

cpes : [ »

0 : cpe:/a:redhat:openshift:4.13::el8 (string)

1 : cpe:/a:redhat:openshift:4.13::el9 (string)

]

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.13 (string)

versions : [ »

0 : { »

status : unaffected (string)

version : v4.13.0-202407081338.p0.g0634a6d.assembly.stream.el8 (string)

lessThan : * (string)

versionType : rpm (string)

}

]

packageName : openshift4/ose-telemeter (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

defaultStatus : affected (string)

}

3 : { »

cpes : [ »

0 : cpe:/a:redhat:openshift:4.14::el9 (string)

1 : cpe:/a:redhat:openshift:4.14::el8 (string)

]

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.14 (string)

versions : [ »

0 : { »

status : unaffected (string)

version : v4.14.0-202407021509.p0.g1f72681.assembly.stream.el8 (string)

lessThan : * (string)

versionType : rpm (string)

}

]

packageName : openshift4/ose-telemeter (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

defaultStatus : affected (string)

}

4 : { »

cpes : [ »

0 : cpe:/a:redhat:openshift:4.15::el9 (string)

1 : cpe:/a:redhat:openshift:4.15::el8 (string)

]

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.15 (string)

versions : [ »

0 : { »

status : unaffected (string)

version : v4.15.0-202406200537.p0.g14489f7.assembly.stream.el9 (string)

lessThan : * (string)

versionType : rpm (string)

}

]

packageName : openshift4/ose-telemeter-rhel9 (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

defaultStatus : affected (string)

}

5 : { »

cpes : [ »

0 : cpe:/a:redhat:openshift:4.16::el9 (string)

]

vendor : Red Hat (string)

product : Red Hat OpenShift Container Platform 4.16 (string)

versions : [ »

0 : { »

status : unaffected (string)

version : v4.16.0-202406200537.p0.gc1ecd10.assembly.stream.el9 (string)

lessThan : * (string)

versionType : rpm (string)

}

]

packageName : openshift4/ose-telemeter-rhel9 (string)

collectionURL : https://catalog.redhat.com/software/containers/ (string)

defaultStatus : affected (string)

}

6 : { »

cpes : [ »

0 : cpe:/a:redhat:logging:5 (string)

]

vendor : Red Hat (string)

product : Logging Subsystem for Red Hat OpenShift (string)

packageName : openshift-logging/opa-openshift-rhel8 (string)

collectionURL : https://access.redhat.com/downloads/content/package-browser/ (string)

defaultStatus : unaffected (string)

}

7 : { »

cpes : [ »

0 : cpe:/a:redhat:openshift_distributed_tracing:2 (string)

]

vendor : Red Hat (string)

product : Red Hat OpenShift distributed tracing 2 (string)

packageName : rhosdt/tempo-gateway-opa-rhel8 (string)

collectionURL : https://access.redhat.com/downloads/content/package-browser/ (string)

defaultStatus : affected (string)

}

8 : { »

cpes : [ »

0 : cpe:/a:redhat:openshift_distributed_tracing:3 (string)

]

vendor : Red Hat (string)

product : Red Hat OpenShift distributed tracing 3 (string)

packageName : rhosdt/tempo-gateway-opa-rhel8 (string)

collectionURL : https://access.redhat.com/downloads/content/package-browser/ (string)

defaultStatus : affected (string)

}

]

timeline : [ »

0 : { »

lang : en (string)

time : 2024-03-30T00:00:00+00:00 (string)

value : Reported to Red Hat. (string)

}

1 : { »

lang : en (string)

time : 2024-06-05T17:51:00+00:00 (string)

value : Made public. (string)

}

]

datePublic : 2024-06-05T17:51:00.000Z (string)

references : [ »

0 : { »

url : https://access.redhat.com/errata/RHSA-2024:4151 (string)

name : RHSA-2024:4151 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

1 : { »

url : https://access.redhat.com/errata/RHSA-2024:4156 (string)

name : RHSA-2024:4156 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

2 : { »

url : https://access.redhat.com/errata/RHSA-2024:4329 (string)

name : RHSA-2024:4329 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

3 : { »

url : https://access.redhat.com/errata/RHSA-2024:4484 (string)

name : RHSA-2024:4484 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

4 : { »

url : https://access.redhat.com/errata/RHSA-2024:5200 (string)

name : RHSA-2024:5200 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

}

5 : { »

url : https://access.redhat.com/security/cve/CVE-2024-5037 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_REDHAT (string)

]

}

6 : { »

url : https://bugzilla.redhat.com/show_bug.cgi?id=2272339 (string)

name : RHBZ#2272339 (string)

tags : [ »

0 : issue-tracking (string)

1 : x_refsource_REDHAT (string)

]

}

7 : { »

url : https://github.com/kubernetes/kubernetes/pull/123540 (string)

}

8 : { »

url : https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : CWE (string)

cweId : CWE-290 (string)

description : Authentication Bypass by Spoofing (string)

}

]

}

]

providerMetadata : { »

orgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

shortName : redhat (string)

dateUpdated : 2025-02-06T08:30:19.750Z (string)

}

x_redhatCweChain : CWE-290: Authentication Bypass by Spoofing (string)

}

cveMetadata : { »

cveId : CVE-2024-5037 (string)

state : PUBLISHED (string)

dateUpdated : 2025-02-06T08:30:19.750Z (string)

dateReserved : 2024-05-16T22:03:32.375Z (string)

assignerOrgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

datePublished : 2024-06-05T18:03:23.194Z (string)

assignerShortName : redhat (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_distributed_tracing:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "BC859D38-CE10-4898-96CF-681BC3714AF7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue (\"iss\") check during JSON web token (JWT) authentication."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Telemeter de OpenShift. Si se cumplen ciertas condiciones, un atacante puede usar un token falsificado para evitar la verificaci\u00f3n del problema (\"iss\") durante la autenticaci\u00f3n del token web JSON (JWT)."}], "id": "CVE-2024-5037", "lastModified": "2024-11-21T09:46:49.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-05T18:15:11.747", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4151"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4156"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4329"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4484"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:5200"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-5037"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272339"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/pull/123540"}, {"source": "secalert@redhat.com", "tags": ["Product"], "url": "https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:4151"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:4156"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:4329"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:4484"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-5037"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272339"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/pull/123540"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 932D137F-528B-4526-9A89-CD59FA1AB0FE (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:redhat:openshift_distributed_tracing:2.0:*:*:*:*:*:*:* (string)

matchCriteriaId : BC859D38-CE10-4898-96CF-681BC3714AF7 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication. (string)

}

1 : { »

lang : es (string)

value : Se encontró una falla en Telemeter de OpenShift. Si se cumplen ciertas condiciones, un atacante puede usar un token falsificado para evitar la verificación del problema ("iss") durante la autenticación del token web JSON (JWT). (string)

}

]

id : CVE-2024-5037 (string)

lastModified : 2024-11-21T09:46:49.777 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : secalert@redhat.com (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2024-06-05T18:15:11.747 (string)

references : [ »

0 : { »

source : secalert@redhat.com (string)

url : https://access.redhat.com/errata/RHSA-2024:4151 (string)

}

1 : { »

source : secalert@redhat.com (string)

url : https://access.redhat.com/errata/RHSA-2024:4156 (string)

}

2 : { »

source : secalert@redhat.com (string)

url : https://access.redhat.com/errata/RHSA-2024:4329 (string)

}

3 : { »

source : secalert@redhat.com (string)

url : https://access.redhat.com/errata/RHSA-2024:4484 (string)

}

4 : { »

source : secalert@redhat.com (string)

url : https://access.redhat.com/errata/RHSA-2024:5200 (string)

}

5 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://access.redhat.com/security/cve/CVE-2024-5037 (string)

}

6 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Issue Tracking (string)

1 : Vendor Advisory (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=2272339 (string)

}

7 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/kubernetes/kubernetes/pull/123540 (string)

}

8 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Product (string)

]

url : https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://access.redhat.com/errata/RHSA-2024:4151 (string)

}

10 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://access.redhat.com/errata/RHSA-2024:4156 (string)

}

11 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://access.redhat.com/errata/RHSA-2024:4329 (string)

}

12 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://access.redhat.com/errata/RHSA-2024:4484 (string)

}

13 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://access.redhat.com/security/cve/CVE-2024-5037 (string)

}

14 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Issue Tracking (string)

1 : Vendor Advisory (string)

]

url : https://bugzilla.redhat.com/show_bug.cgi?id=2272339 (string)

}

15 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/kubernetes/kubernetes/pull/123540 (string)

}

16 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Product (string)

]

url : https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 (string)

}

]

sourceIdentifier : secalert@redhat.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-290 (string)

}

]

source : secalert@redhat.com (string)

type : Secondary (string)

}

]

}

Show plain JSON

{"affected_release": [{"advisory": "RHSA-2024:5200", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift4/ose-telemeter:v4.12.0-202408071159.p0.gc9592de.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2024-08-19T00:00:00Z"}, {"advisory": "RHSA-2024:4484", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "package": "openshift4/ose-telemeter:v4.13.0-202407081338.p0.g0634a6d.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:4329", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "package": "openshift4/ose-telemeter:v4.14.0-202407021509.p0.g1f72681.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2024-07-11T00:00:00Z"}, {"advisory": "RHSA-2024:4151", "cpe": "cpe:/a:redhat:openshift:4.15::el9", "package": "openshift4/ose-telemeter-rhel9:v4.15.0-202406200537.p0.g14489f7.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4156", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-telemeter-rhel9:v4.16.0-202406200537.p0.gc1ecd10.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-07-03T00:00:00Z"}], "bugzilla": {"description": "openshift/telemeter: iss check during JWT authentication can be bypassed", "id": "2272339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272339"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-290", "details": ["A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue (\"iss\") check during JSON web token (JWT) authentication.", "A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue (\"iss\") check during JSON web token (JWT) authentication."], "name": "CVE-2024-5037", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/opa-openshift-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/tempo-gateway-opa-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-gateway-opa-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}], "public_date": "2024-06-05T17:51:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-5037\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5037\nhttps://github.com/kubernetes/kubernetes/pull/123540\nhttps://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78"], "threat_severity": "Important"}

{

affected_release : [ »

0 : { »

advisory : RHSA-2024:5200 (string)

cpe : cpe:/a:redhat:openshift:4.12::el8 (string)

package : openshift4/ose-telemeter:v4.12.0-202408071159.p0.gc9592de.assembly.stream.el8 (string)

product_name : Red Hat OpenShift Container Platform 4.12 (string)

release_date : 2024-08-19T00:00:00Z (string)

}

1 : { »

advisory : RHSA-2024:4484 (string)

cpe : cpe:/a:redhat:openshift:4.13::el8 (string)

package : openshift4/ose-telemeter:v4.13.0-202407081338.p0.g0634a6d.assembly.stream.el8 (string)

product_name : Red Hat OpenShift Container Platform 4.13 (string)

release_date : 2024-07-17T00:00:00Z (string)

}

2 : { »

advisory : RHSA-2024:4329 (string)

cpe : cpe:/a:redhat:openshift:4.14::el8 (string)

package : openshift4/ose-telemeter:v4.14.0-202407021509.p0.g1f72681.assembly.stream.el8 (string)

product_name : Red Hat OpenShift Container Platform 4.14 (string)

release_date : 2024-07-11T00:00:00Z (string)

}

3 : { »

advisory : RHSA-2024:4151 (string)

cpe : cpe:/a:redhat:openshift:4.15::el9 (string)

package : openshift4/ose-telemeter-rhel9:v4.15.0-202406200537.p0.g14489f7.assembly.stream.el9 (string)

product_name : Red Hat OpenShift Container Platform 4.15 (string)

release_date : 2024-07-02T00:00:00Z (string)

}

4 : { »

advisory : RHSA-2024:4156 (string)

cpe : cpe:/a:redhat:openshift:4.16::el9 (string)

package : openshift4/ose-telemeter-rhel9:v4.16.0-202406200537.p0.gc1ecd10.assembly.stream.el9 (string)

product_name : Red Hat OpenShift Container Platform 4.16 (string)

release_date : 2024-07-03T00:00:00Z (string)

}

]

bugzilla : { »

description : openshift/telemeter: iss check during JWT authentication can be bypassed (string)

id : 2272339 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2272339 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.5 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

status : verified (string)

}

cwe : CWE-290 (string)

details : [ »

0 : A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication. (string)

1 : A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication. (string)

]

name : CVE-2024-5037 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:logging:5 (string)

fix_state : Not affected (string)

package_name : openshift-logging/opa-openshift-rhel8 (string)

product_name : Logging Subsystem for Red Hat OpenShift (string)

}

1 : { »

cpe : cpe:/a:redhat:openshift_distributed_tracing:2 (string)

fix_state : Affected (string)

package_name : rhosdt/tempo-gateway-opa-rhel8 (string)

product_name : Red Hat OpenShift distributed tracing 2 (string)

}

2 : { »

cpe : cpe:/a:redhat:openshift_distributed_tracing:3 (string)

fix_state : Affected (string)

package_name : rhosdt/tempo-gateway-opa-rhel8 (string)

product_name : Red Hat OpenShift distributed tracing 3 (string)

}

]

public_date : 2024-06-05T17:51:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2024-5037 https://nvd.nist.gov/vuln/detail/CVE-2024-5037 https://github.com/kubernetes/kubernetes/pull/123540 https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 (string)

]

threat_severity : Important (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object