Jordan Liggitt of Red Hat reports: Malicious content can be loaded via the API proxy via a GET request if: 1. an authorized access_token is provided as a query parameter 2. anonymous access is granted to the service/proxy or pod/proxy API for the pod serving the content That content has same-domain access to the browser localStorage if the web console and API server are hosted on the same domain. This gives the malicious content access to the logged in user's API credentials.
Acknowledgments: Name: Jordan Liggitt (Red Hat)
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 3.2 Via RHSA-2016:1094 https://access.redhat.com/errata/RHSA-2016:1094
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 3.1 Via RHSA-2016:1095 https://access.redhat.com/errata/RHSA-2016:1095