Bug 2148667 (CVE-2022-4145)

Summary: CVE-2022-4145 openshift: content spoofing
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jburrell, joelsmith, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2142217    

Description Nick Tait 2022-11-26 22:18:48 UTC
there is a content spoofing flaw in OpenShift's OAuth endpoint (https://oauth.openshift.apps.HOSTNAME.com) and spoofing an error_description query param results in seeing the error message come back in the OpenShift response JSON. For example, this URL:

https://oauth-openshift.apps.jmazziteos4.lab.upshift.rdu2.redhat.com/error_description=An%20error%20occurred,%20to%20correct%20please%20visit%20http://dr.evil.com%20or%20call%20the%20number%20081337

is shown an error message which includes text which has been injected by the attacker "An error occurred, to correct please visit http://dr.evil.com or call the number 081337"