Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-3660

Опубликовано: 20 июл. 2021
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

Отчет

In cockpit versions 236 and above (Red Hat Enterprise Linux 8.4 and above), this flaw should not be exploitable, as the session cookie has the SameSite=Strict; option enabled, preventing the Web Browsers to reuse it from 3rd party web sites. This results in the cockpit website not being logged in when coming from an embedded 3rd party web site.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7cockpitOut of support scope
Red Hat Enterprise Linux 9cockpitNot affected
Red Hat OpenShift Container Platform 3.11cockpitOut of support scope
Red Hat Virtualization 4cockpitAffected
Red Hat Enterprise Linux 8cockpitFixedRHSA-2022:200810.05.2022

Показывать по

Дополнительная информация

Статус:

Low
Дефект:
CWE-1021
https://bugzilla.redhat.com/show_bug.cgi?id=1980688cockpit: pages vulnerable to clickjacking

EPSS

Процентиль: 49%
0.00256
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

CVSS3: 4.3
ubuntu
больше 3 лет назад

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

CVSS3: 4.3
nvd
больше 3 лет назад

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

CVSS3: 4.3
msrc
больше 3 лет назад

Описание отсутствует

CVSS3: 4.3
debian
больше 3 лет назад

Cockpit (and its plugins) do not seem to protect itself against clickj ...

CVSS3: 4.3
github
больше 3 лет назад

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

EPSS

Процентиль: 49%
0.00256
Низкий

4.3 Medium

CVSS3