{ "threat_severity" : "Moderate", "public_date" : "2019-07-08T00:00:00Z", "bugzilla" : { "description" : "atomic-openshift: reflected XSS in authentication flow", "id" : "1693499", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1693499" }, "cvss3" : { "cvss3_base_score" : "4.6", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform versions: openshift-online-3, openshift-enterprise-3.4 through 3.7 and openshift-enterprise-3.9 through 3.11. An attacker could use this flaw to steal authorization data by getting them to click on a malicious link.", "A reflected XSS vulnerability exists in the authentication flow of the OpenShift Container Platform. An attacker could use this flaw to steal authentication data by having users click a malicious link." ], "statement" : "Since the HTTP Response \"Content Type\" is \"text/plain\" most browsers won't execute any Javascipt in the response content. However if an attacker can trick a user into loading the response in an iFrame it is possible to exploit this vulnerability. Appropriate Cross Origin Resource (CORS) Allowed Domain configuration in OCP 3 should prevent an attacker from getting any response from a attacker hosted domain. Therefore make sure that corsAllowedDomains is specified correctly in your OCP 3 master-config.yaml. See [1] for more details on an issue with corsAllowedDomains in OCP 3.\n[1] https://bugzilla.redhat.com/show_bug.cgi?id=1694913\nAlso content sniffing browsers [2] do execute Javascript even when the \"Content Type\" HTTP Response header is set to \"text/plain\".\n[2] https://en.wikipedia.org/wiki/Content_sniffing", "acknowledgement" : "This issue was discovered by Jeremy Choi (Red Hat).", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2020-03-20T00:00:00Z", "advisory" : "RHSA-2020:0795", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-0:3.11.188-1.git.0.db0eaa8.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 4.1", "release_date" : "2019-11-07T00:00:00Z", "advisory" : "RHSA-2019:3722", "cpe" : "cpe:/a:redhat:openshift:4.1::el7", "package" : "openshift4/ose-hypershift:v4.1.22-201910291109" }, { "product_name" : "Red Hat OpenShift Container Platform 4.2", "release_date" : "2019-11-13T00:00:00Z", "advisory" : "RHSA-2019:3770", "cpe" : "cpe:/a:redhat:openshift:4.2::el7", "package" : "openshift4/ose-oauth-server-rhel7:v4.2.4-201911050122" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.10", "fix_state" : "Fix deferred", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.10" }, { "product_name" : "Red Hat OpenShift Container Platform 3.4", "fix_state" : "Will not fix", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.4" }, { "product_name" : "Red Hat OpenShift Container Platform 3.5", "fix_state" : "Will not fix", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.5" }, { "product_name" : "Red Hat OpenShift Container Platform 3.6", "fix_state" : "Out of support scope", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "fix_state" : "Out of support scope", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Fix deferred", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-3889\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3889" ], "name" : "CVE-2019-3889", "csaw" : false }