Bug 2221928

Summary: Satellite: CSRF Enabled by Attacker Exploiting API Session Cookie via User's Kerberos Ticket
Product: [Other] Security Response Reporter: Yadnyawalk Tale <ytale>
Component: weaknessAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: bbuckingham, bcourt, ehelms, jsherril, lzap, mhulan, myarboro, nmoumoul, orabin, pcreech, rchan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2168153    
Bug Blocks:    

Description Yadnyawalk Tale 2023-07-11 10:11:38 UTC 
Description:
A security regression was discovered during the testing of an upcoming feature in Satellite 6.13, which allows the usage of Kerberos for CLI and API. Although this may be considered a feature rather than a bug, it introduces a new attack vector through CSRF. 

The issue allows an attacker to obtain an API session cookie in a browser, even if the user has never logged into the Satellite or entered their credentials. The only prerequisite is that the user has a Kerberos Ticket Granting Ticket (TGT) obtained through 'kinit'. With this API session cookie, the attacker can perform CSRF attacks against the API, bypassing CSRF protection and carrying out malicious actions under the user's name, without formal consent of the user.

Impacted Satellite Version:
6.13