CVE-2024-7557

Published: Aug 8, 2024

Modified: Mar 19, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

A vulnerability was found in OpenShift AI that allows for authentication bypass and privilege escalation across models within the same namespace. When deploying AI models, the UI provides the option to protect models with authentication. However, credentials from one model can be used to access other models and APIs within the same namespace. The exposed ServiceAccount tokens, visible in the UI, can be utilized with oc --token={token} to exploit the elevated view privileges associated with the ServiceAccount, leading to unauthorized access to additional resources.

Vendor	Product	Versions
Unknown	odh-dashboard	affected `2.8.*` affected `2.11` unaffected `a122ad06a297f4e8b2a065eece910aa882cc3fa6`
Red Hat	Red Hat OpenShift AI (RHOAI)	All versions
Red Hat	Red Hat OpenShift AI (RHOAI)	All versions
Red Hat	Red Hat OpenShift Data Science (RHODS)	All versions
Red Hat	Red Hat OpenShift Data Science (RHODS)	All versions

Weaknesses (CWE)

CWE-305

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://access.redhat.com/security/cve/CVE-2024-7557

vdb-entry

x_refsource_REDHAT

RHBZ#2303094

issue-tracking

x_refsource_REDHAT

https://github.com/opendatahub-io/odh-dashboard/pull/3198

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-7557

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References