A reflected XSS vulnerability exists in authentication flow of OpenShift Container Platform. An attacker could use this flaw to steal authentication data by getting them to click on a malicious link.
Acknowledgments: Name: Jeremy Choi (Red Hat)
Statement: Since the HTTP Response "Content Type" is "text/plain" most browsers won't execute any Javascipt in the response content. However if an attacker can trick a user into loading the response in an iFrame it is possible to exploit this vulnerability. Appropriate Cross Origin Resource (CORS) Allowed Domain configuration in OCP 3 should prevent an attacker from getting any response from a attacker hosted domain. Therefore make sure that corsAllowedDomains is specified correctly in your OCP 3 master-config.yaml. See [1] for more details on an issue with corsAllowedDomains in OCP 3. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1694913 Also content sniffing browsers [2] do execute Javascript even when the "Content Type" HTTP Response header is set to "text/plain". [2] https://en.wikipedia.org/wiki/Content_sniffing
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3722 https://access.redhat.com/errata/RHSA-2019:3722
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3889
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2019:3770 https://access.redhat.com/errata/RHSA-2019:3770
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:0795 https://access.redhat.com/errata/RHSA-2020:0795