CVE-2024-11217

Oauth-server-container: oauth-server-container logs client secret in debug level

CVSS 4.9 MEDIUMEPSS 0.4%CWE-1295

In short

The OAuth-server application accidentally logs sensitive client secrets to debug logs when debugging is enabled for certain login services. This means anyone with access to debug logs could see credentials needed to impersonate the application.

Technical detail

CWE-1295 (Improper Handling of Insufficient Entropy in TRNG) manifests as credential exposure in debug output. When logLevel is set to Debug or higher for OIDC/GitHub/GitLab/Google IdP configurations, OAuth2 client secrets are written to logs. An attacker with read access to application logs can extract these credentials and abuse them for authentication bypass or token manipulation.

Summary generated and translated by AI from the official description.

A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected products

oauth-server-containerRed Hat · Red Hat OpenShift Container Platform 4

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/security/cve/CVE-2024-11217 https://bugzilla.redhat.com/show_bug.cgi?id=2326230