Описание
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Отчет
In cockpit versions 236 and above (Red Hat Enterprise Linux 8.4 and above), this flaw should not be exploitable, as the session cookie has the SameSite=Strict;
option enabled, preventing the Web Browsers to reuse it from 3rd party web sites. This results in the cockpit website not being logged in when coming from an embedded 3rd party web site.
Затронутые пакеты
Платформа | Пакет | Состояние | Рекомендация | Релиз |
---|---|---|---|---|
Red Hat Enterprise Linux 7 | cockpit | Out of support scope | ||
Red Hat Enterprise Linux 9 | cockpit | Not affected | ||
Red Hat OpenShift Container Platform 3.11 | cockpit | Out of support scope | ||
Red Hat Virtualization 4 | cockpit | Affected | ||
Red Hat Enterprise Linux 8 | cockpit | Fixed | RHSA-2022:2008 | 10.05.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS3
Связанные уязвимости
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Cockpit (and its plugins) do not seem to protect itself against clickj ...
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
EPSS
4.3 Medium
CVSS3