Cryostat Authentication Bypass Vulnerability in HTTP API

An authentication bypass vulnerability has been identified in the Cryostat HTTP API, specifically in version 4.0.0. The API binds to all network interfaces, which can expose the API port to external access if Network Policies are disabled. This vulnerability allows an unauthenticated, malicious attacker to send HTTP requests directly to the Cryostat API, bypassing the OpenShift OAuth authentication and authorization mechanisms. The issue arises when the underlying cluster network stack does not support Network Policies, or if the Cryostat installation has been configured to disable them.

Impact

Exploitation of this vulnerability allows for an authentication bypass, enabling unauthorized access to the Cryostat HTTP API. This could lead to unauthorized actions or data exposure within the Cryostat environment.

Reproduction

To reproduce this vulnerability, deploy Cryostat version 4.0.0 in an OpenShift environment where the network stack does not support Network Policies, or explicitly disable Network Policies in the Cryostat Custom Resource. Once deployed, the Cryostat HTTP API will be accessible without authentication, allowing for unauthorized HTTP requests to be sent directly to the API port.

Remediation

Ensure that Network Policies are enabled in the Cryostat Custom Resources and that the underlying cluster network stack supports Network Policies. If Network Policies are disabled, re-enable them or adjust the Cryostat installation to restore the default Network Policy settings.