1889435 – (CVE-2020-27839) [security] Don't use Browser's LocalStorage for storing JWT but Secure Cookies with proper HTTP Headers

Bug 1889435 - (CVE-2020-27839) [security] Don't use Browser's LocalStorage for storing JWT but Secure Cookies with proper HTTP Headers

Summary: (CVE-2020-27839) [security] Don't use Browser's LocalStorage for storing JWT ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Ceph-Dashboard
Sub Component:
Version:	5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	5.0
Assignee:	avan
QA Contact:	Sunil Angadi
Docs Contact:	Ranjini M N
URL:
Whiteboard:	security
Depends On:
Blocks:	1959686
TreeView+	depends on / blocked

Reported:	2020-10-19 16:25 UTC by Ernesto Puerta
Modified:	2021-08-30 08:27 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ceph-16.0.0-8633.el8cp
Doc Type:	Bug Fix
Doc Text:	.Secure cookie-based sessions are enabled for accessing the {storage-product} Dashboard Previously, storing information in LocalStorage made the {storage-product} dashboard accessible to all sessions running in a browser, making the dashboard vulnerable to XSS attacks. With this release, LocalStorage is replaced with secure cookie-based sessions and thereby the session secret is available only to the current browser instance.
Clone Of:
Environment:
Last Closed:	2021-08-30 08:26:43 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	44591	None	None	None	2020-10-19 16:32:21 UTC
Github	ceph ceph pull 38259	None	closed	mgr/dashboard: Use secure cookies to store JWT Token	2021-02-15 09:59:58 UTC
Red Hat Issue Tracker	RHCEPH-991	None	None	None	2021-08-26 16:14:01 UTC
Red Hat Issue Tracker	RHCSDASH-237	None	None	None	2021-08-26 16:13:56 UTC
Red Hat Product Errata	RHBA-2021:3294	None	None	None	2021-08-30 08:27:01 UTC

Internal Links: 1901330

Comment 12 errata-xmlrpc 2021-08-30 08:26:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 5.0 bug fix and enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3294

Note You need to log in before you can comment on or make changes to this bug.