{
  "threat_severity" : "Low",
  "public_date" : "2020-01-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kibana: X-Frame-Option not set by default might lead to clickjacking",
    "id" : "1834550",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-358",
  "details" : [ "It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.", "It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking." ],
  "statement" : "This CVE relates specifically to OpenShift Container Platform's distribution of Kibana. Upstream Kibana don't consider this a vulnerability, but may address this in a future version:\nhttps://github.com/elastic/kibana/issues/52809",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2020-09-16T00:00:00Z",
    "advisory" : "RHSA-2020:3727",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "openshift3/ose-logging-kibana5:v3.11.286-1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2020-10-27T00:00:00Z",
    "advisory" : "RHSA-2020:4298",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "kibana",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-10743\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10743" ],
  "name" : "CVE-2020-10743",
  "mitigation" : {
    "value" : "Any Kibana version with this commit [1] can add the following configuration option to mitigation the problem:\nconfig/kibana.yml:\nserver.customResponseHeaders: {\"x-frame-options\":\"deny\"}\nor\nserver.customResponseHeaders: {\"x-frame-options\":\"sameorigin\"}\n[1] https://github.com/elastic/kibana/pull/13045",
    "lang" : "en:us"
  },
  "csaw" : false
}