1990363 – stackrox: Missing HTTP security headers allows for clickjacking in web UI

Bug 1990363 - stackrox: Missing HTTP security headers allows for clickjacking in web UI

Summary: stackrox: Missing HTTP security headers allows for clickjacking in web UI

Keywords:
Status:	NEW
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1989640
TreeView+	depends on / blocked

Reported:	2021-08-05 09:23 UTC by lnacshon
Modified:	2023-07-07 08:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description lnacshon 2021-08-05 09:23:45 UTC

In RHACS 3.63.0 Ui it was found to be is vulnerable to Clickjacking. This is caused due to missing HTTP headers (X-Frame-Options or Content-Security-Policy) this is helping an attacker to load an iframe and trick the user to click and transferred it into their malformed website.

Note You need to log in before you can comment on or make changes to this bug.