CVE-2020-10743

Опубликовано: 27 янв. 2020

Источник: redhat

CVSS3: 3.1

Описание

It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.

Отчет

This CVE relates specifically to OpenShift Container Platform's distribution of Kibana. Upstream Kibana don't consider this a vulnerability, but may address this in a future version: https://github.com/elastic/kibana/issues/52809

Меры по смягчению последствий

Any Kibana version with this commit [1] can add the following configuration option to mitigation the problem: config/kibana.yml: server.customResponseHeaders: {"x-frame-options":"deny"} or server.customResponseHeaders: {"x-frame-options":"sameorigin"} [1] https://github.com/elastic/kibana/pull/13045

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat OpenShift Container Platform 4	kibana	Will not fix
Red Hat OpenShift Container Platform 3.11	openshift3/ose-logging-kibana5	Fixed	RHSA-2020:3727	16.09.2020
Red Hat OpenShift Container Platform 4.6	openshift4/ose-logging-kibana6	Fixed	RHSA-2020:4298	27.10.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-358

https://bugzilla.redhat.com/show_bug.cgi?id=1834550kibana: X-Frame-Option not set by default might lead to clickjacking

3.1 Low

CVSS3

Связанные уязвимости

CVE-2020-10743

CVSS3: 4.3

nvd

больше 4 лет назад

CVE-2020-10743

CVSS3: 4.3

debian

больше 4 лет назад

It was discovered that OpenShift Container Platform's (OCP) distributi ...

GHSA-5h6f-94qc-p3v7

CVSS3: 4.3

github

больше 3 лет назад

3.1 Low

CVSS3