Bug 2106780 (CVE-2022-3260) - CVE-2022-3260 Openshift: Missing X-Frame-Options Header
Summary: CVE-2022-3260 Openshift: Missing X-Frame-Options Header
Keywords:
Status: NEW
Alias: CVE-2022-3260
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2106781
TreeView+ depends on / blocked
 
Reported: 2022-07-13 14:06 UTC by Sage McTaggart
Modified: 2023-07-07 08:29 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Sage McTaggart 2022-07-13 14:06:07 UTC 
Description of the problem:
The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack. Clickjacking, also known as a 'UI redress attack', is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is 'hijacking' clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

Release version:
2.4.4

Operator snapshot version:
Unknown

OCP version:
4.9

Browser Info:
Unknown

Steps to reproduce:
1. Login into the application Using "admin1" user
2. Navigate to search >> filter
3. Intercept the request using a proxy tool
4. Apply attack value in parameter
Parameter: filters
Attack Value: [{"property":"kind","values":["test"]},{"property":"'b) OR (1","values":["1'"]}

Actual results:

Expected results:

Additional info:
Note You need to log in before you can comment on or make changes to this bug.