Bug 1622372 (CVE-2018-10937)

Summary: CVE-2018-10937 tectonic-console: XSS Vulnerability in K8s API proxy
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, bleanhar, ccoleman, dedgar, jgoulding, jokerman, lrock, mchappel, rkshirsa, scuppett, spadgett, syang, yapei
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-28 15:08:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1622373    
Bug Blocks: 1619496    

Description Jason Shepherd 2018-08-27 00:30:05 UTC 
A XSS flaw exists in the tetonic-console component of Openshift Container Platfrom 3.11. An attacker with the ability to create pods can use this flaw to perform actions on the K8s API as the victim.
Comment 3 Jason Shepherd 2018-08-27 00:51:19 UTC 
Acknowledgments:

Name: Sam Padgett (Red Hat)
Comment 4 Laura Pardo 2018-08-27 21:27:34 UTC 
References:
https://github.com/openshift/console/pull/461

Upstream fix:
https://github.com/openshift/console/commit/d56666852da6e7309a2e63a49f49a72ff66d309c
Comment 8 Jason Shepherd 2019-03-28 01:14:38 UTC 
This vulnerability was fixed prior to the release of OpenShift 3.11, so the initial release of that version was not affected.