Описание
A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack.
Отчет
OpenShift Container Platform versions prior to 3.11 do not contain the affected "cluster console" component and are not vulnerable to this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.6 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.7 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.9 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-console | Fixed | RHSA-2019:4053 | 16.12.2019 |
| Red Hat OpenShift Container Platform 4.1 | openshift4/ose-console | Fixed | RHSA-2019:2792 | 17.09.2019 |
| Red Hat OpenShift Container Platform 4.2 | openshift4/ose-console | Fixed | RHBA-2019:2922 | 16.10.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.2 Medium
CVSS3
Связанные уязвимости
A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack.
A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack.
EPSS
4.2 Medium
CVSS3