Bug 883227 (CVE-2012-5622)

Summary: CVE-2012-5622 openshift-console: CSRF attack
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bleanhar, jechoi, jialiu, lmeyer, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-16 04:50:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 878754    
Bug Blocks: 883523    

Description Kurt Seifried 2012-12-04 04:58:57 UTC 
Jeremy Choi of Red Hat reports:

There is no CSRF attack protection mechanism on the web console. While users 
are authenticated malicious links or scripts provided by attackers can cause 
unwanted action which the user does not want to do.
Comment 1 errata-xmlrpc 2012-12-10 21:03:52 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2012:1555 https://rhn.redhat.com/errata/RHSA-2012-1555.html
Comment 2 Murray McAllister 2012-12-19 00:56:07 UTC 
Acknowledgements:

This issue was discovered by Red Hat.