1303577 – openshift-origin: kubernetes: Same route in multiple projects can direct users to attacker's site

Bug 1303577 - openshift-origin: kubernetes: Same route in multiple projects can direct users to attacker's site

Summary: openshift-origin: kubernetes: Same route in multiple projects can direct user...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1302287
Blocks:	1303581
TreeView+	depends on / blocked

Reported:	2016-02-01 11:04 UTC by Adam Mariš
Modified:	2019-09-29 13:43 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-02 04:28:24 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Adam Mariš 2016-02-01 11:04:26 UTC

It was reported that if the same hostname already exists in another project when a new route is created, no error handling takes place. While it looks the route in a project has been created successfully, the request made to the route will be sent to the existing service. Attacker may be able to preoccupy a hostname, which stays unnoticed to developer, and users of that service may be led to the malicious site.

Product bug (contains steps to reproduce):

https://bugzilla.redhat.com/show_bug.cgi?id=1302287

Comment 1 Kurt Seifried 2016-02-02 04:28:24 UTC

This issue does not cross any trust boundaries currently, as such this is not considered a security vulnerability at this time.

Note You need to log in before you can comment on or make changes to this bug.