Bug 2106780 (CVE-2022-3260)

Summary: CVE-2022-3260 Openshift: Missing X-Frame-Options Header
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akashem, bmontgom, eparis, jburrell, joelsmith, nstielau, sponnaga, vkumar, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2106781    

Description Sage McTaggart 2022-07-13 14:06:07 UTC 
Description of the problem:
The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack. Clickjacking, also known as a 'UI redress attack', is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is 'hijacking' clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

Release version:
2.4.4

Operator snapshot version:
Unknown

OCP version:
4.9

Browser Info:
Unknown

Steps to reproduce:
1. Login into the application Using "admin1" user
2. Navigate to search >> filter
3. Intercept the request using a proxy tool
4. Apply attack value in parameter
Parameter: filters
Attack Value: [{"property":"kind","values":["test"]},{"property":"'b) OR (1","values":["1'"]}

Actual results:

Expected results:

Additional info: