CVE-2024-6535 is a vulnerability identified in Skupper, an open-source project that facilitates secure communication between applications across different Kubernetes clusters. The flaw arises when Skupper is initialized with the console enabled and the console-auth parameter set to Openshift. Under these conditions, the openshift oauth-proxy component is configured with a static cookie-secret. This static secret is used to sign authentication cookies, and because it is not dynamically generated or unique per deployment, an attacker can craft a specially-crafted cookie that the oauth-proxy will accept as valid. This allows the attacker to bypass the authentication mechanism protecting the Skupper console, gaining unauthorized access. The vulnerability does not expose confidential data directly nor does it impact system availability, but it compromises the integrity of the console access control. The attack vector is network-based, requiring no privileges or user interaction, making it relatively easy to exploit if the attacker can reach the console endpoint. The vulnerability was published on July 17, 2024, with a CVSS v3.1 score of 5.3 (medium severity), indicating moderate risk. No known exploits have been reported in the wild, and no official patches or mitigations have been linked yet. The issue stems from insecure default configuration and static secrets, a common security anti-pattern that can lead to authentication bypasses.

The primary impact of CVE-2024-6535 is unauthorized access to the Skupper console, which could allow attackers to manipulate or view configuration and operational data related to cross-cluster communication. While this does not directly expose sensitive data or disrupt service availability, unauthorized console access can lead to further compromise, such as modifying routing rules, injecting malicious configurations, or escalating privileges within the environment. Organizations relying on Skupper for secure multi-cluster communication may face increased risk of lateral movement or persistent access if this vulnerability is exploited. Given that no authentication is required and no user interaction is needed, the attack surface is broad for exposed Skupper consoles configured with Openshift oauth-proxy and static cookie secrets. This could affect cloud-native environments, DevOps pipelines, and microservices architectures that depend on Skupper for connectivity. The medium severity rating reflects the moderate but significant risk posed by integrity compromise without direct confidentiality or availability impact.

To mitigate CVE-2024-6535, organizations should first verify if their Skupper deployments have the console enabled with console-auth set to Openshift. If so, they should avoid using static cookie-secrets in the oauth-proxy configuration. Instead, configure oauth-proxy to use dynamically generated, unique cookie secrets per deployment to prevent cookie forgery. If possible, disable the console or restrict network access to it via firewall rules or network policies to limit exposure. Monitor access logs for unusual authentication bypass attempts or suspicious cookie usage. Stay updated with Skupper and Openshift security advisories for patches or configuration guidance addressing this issue. Consider implementing additional authentication layers or integrating with stronger identity providers that do not rely on static secrets. Conduct regular security reviews of Kubernetes and related components to detect insecure defaults. Finally, educate DevOps and security teams about the risks of static secrets and enforce secure configuration management practices.