Bug 1889435

Summary: (CVE-2020-27839) [security] Don't use Browser's LocalStorage for storing JWT but Secure Cookies with proper HTTP Headers
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Ernesto Puerta <epuertat>
Component: Ceph-DashboardAssignee: avan <athakkar>
Status: CLOSED ERRATA QA Contact: Sunil Angadi <sangadi>
Severity: medium Docs Contact: Ranjini M N <rmandyam>
Priority: medium    
Version: 5.0CC: athakkar, ceph-eng-bugs, kdreyer, rmandyam, sangadi, tserlin, vereddy
Target Milestone: ---Keywords: Security
Target Release: 5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: security
Fixed In Version: ceph-16.0.0-8633.el8cp Doc Type: Bug Fix
Doc Text:
.Secure cookie-based sessions are enabled for accessing the {storage-product} Dashboard Previously, storing information in LocalStorage made the {storage-product} dashboard accessible to all sessions running in a browser, making the dashboard vulnerable to XSS attacks. With this release, LocalStorage is replaced with secure cookie-based sessions and thereby the session secret is available only to the current browser instance.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-30 08:26:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1959686    

Comment 12 errata-xmlrpc 2021-08-30 08:26:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 5.0 bug fix and enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.