Oauth-server-container: oauth-server-container logs client secret in debug level

CVE	CVE-2024-11217
State	PUBLISHED
Assigner	redhat
Source Priority	CVE Program / NVD first with legacy fallback
Published	2024-11-15 21:15:06 UTC
Updated	2026-06-26 05:16:25 UTC
Description	A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options.

Primary CVSS: v3.1 4.9 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS: 0.003610000 probability, percentile 0.279790000 (date 2026-06-28)

Problem Types: CWE-1295 | CWE-1295 Debug Messages Revealing Unnecessary Information

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Secondary	4.9	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N`
3.1	CNA	CVSS	4.9	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Source	Vendor	Product	Version	Platforms
CNA	Red Hat	Red Hat OpenShift Container Platform 4	Not specified	Not specified

Reference	Source	Link	Tags
access.redhat.com/security/cve/CVE-2024-11217	[email protected]	access.redhat.com
bugzilla.redhat.com/show_bug.cgi	[email protected]	bugzilla.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: This issue was discovered by Xingxing Xia (OpenShift QE (Quality Engineering), Red Hat). (en)

Source	Time	Event
CNA	2024-11-14T12:49:38.971Z	Reported to Red Hat.
CNA	2024-11-14T00:00:00.000Z	Made public.

There are currently no legacy QID mappings associated with this CVE.