x/vulndb: potential Go vuln in github.com/openshift/console: GHSA-4crf-28c7-v4gr

[GoVulnBot]

Advisory GHSA-4crf-28c7-v4gr references a vulnerability in the following Go modules:

Module
github.com/openshift/console

Description:
An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

References:

• ADVISORY: GHSA-4crf-28c7-v4gr
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-6508
• WEB: https://access.redhat.com/security/cve/CVE-2024-6508
• WEB: https://bugzilla.redhat.com/show_bug.cgi?id=2295777

Cross references:

• github.com/openshift/console appears in 1 other report(s):
  • data/excluded/GO-2023-2208.yaml (x/vulndb: potential Go vuln in github.com/openshift/console: CVE-2018-10937 #2208) LEGACY_FALSE_POSITIVE

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openshift/console
      vulnerable_at: 6.0.6+incompatible
summary: Openshift Console insufficient entropy vulnerability in github.com/openshift/console
cves:
    - CVE-2024-6508
ghsas:
    - GHSA-4crf-28c7-v4gr
references:
    - advisory: https://github.com/advisories/GHSA-4crf-28c7-v4gr
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6508
    - web: https://access.redhat.com/security/cve/CVE-2024-6508
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2295777
source:
    id: GHSA-4crf-28c7-v4gr
    created: 2024-08-21T21:01:22.043402439Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/609141 mentions this issue: data/reports: add 21 unreviewed reports