Bug 2148667 (CVE-2022-4145) - CVE-2022-4145 openshift: content spoofing
Summary: CVE-2022-4145 openshift: content spoofing
Status: NEW
Alias: CVE-2022-4145
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On:
Blocks: 2142217
TreeView+ depends on / blocked
Reported: 2022-11-26 22:18 UTC by Nick Tait
Modified: 2023-10-05 06:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Nick Tait 2022-11-26 22:18:48 UTC
there is a content spoofing flaw in OpenShift's OAuth endpoint (https://oauth.openshift.apps.HOSTNAME.com) and spoofing an error_description query param results in seeing the error message come back in the OpenShift response JSON. For example, this URL:


is shown an error message which includes text which has been injected by the attacker "An error occurred, to correct please visit http://dr.evil.com or call the number 081337"

Note You need to log in before you can comment on or make changes to this bug.