1813788 – (CVE-2020-1761) CVE-2020-1761 openshift/console: access token stored in browser local storage

Bug 1813788 (CVE-2020-1761) - CVE-2020-1761 openshift/console: access token stored in browser local storage

Summary: CVE-2020-1761 openshift/console: access token stored in browser local storage

Keywords:
Status:	NEW
Alias:	CVE-2020-1761
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1801831
Blocks:	1813119
TreeView+	depends on / blocked

Reported:	2020-03-16 05:12 UTC by Jason Shepherd
Modified:	2023-07-07 08:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openshift/console-4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage. An attacker can use this flaw to get the access token via physical access, or an XSS attack on the victim's browser.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Jason Shepherd 2020-03-16 05:12:13 UTC

It was found that access token is stored in the browser’s local storage. Attackers can get the access token with physical access. In case of a XSS vulnerability, attackers can get the access token as javascript can read it.

Comment 4 Jason Shepherd 2020-03-16 23:23:21 UTC

Acknowledgments:

Name: Jeremy Choi (Red Hat)

Note You need to log in before you can comment on or make changes to this bug.