1622372 – (CVE-2018-10937) CVE-2018-10937 tectonic-console: XSS Vulnerability in K8s API proxy

Bug 1622372 (CVE-2018-10937) - CVE-2018-10937 tectonic-console: XSS Vulnerability in K8s API proxy

Summary: CVE-2018-10937 tectonic-console: XSS Vulnerability in K8s API proxy

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-10937
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1622373
Blocks:	1619496
TreeView+	depends on / blocked

Reported:	2018-08-27 00:30 UTC by Jason Shepherd
Modified:	2021-02-16 23:09 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-28 15:08:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jason Shepherd 2018-08-27 00:30:05 UTC

A XSS flaw exists in the tetonic-console component of Openshift Container Platfrom 3.11. An attacker with the ability to create pods can use this flaw to perform actions on the K8s API as the victim.

Comment 3 Jason Shepherd 2018-08-27 00:51:19 UTC

Acknowledgments:

Name: Sam Padgett (Red Hat)

Comment 4 Laura Pardo 2018-08-27 21:27:34 UTC

References:
https://github.com/openshift/console/pull/461

Upstream fix:
https://github.com/openshift/console/commit/d56666852da6e7309a2e63a49f49a72ff66d309c

Comment 8 Jason Shepherd 2019-03-28 01:14:38 UTC

This vulnerability was fixed prior to the release of OpenShift 3.11, so the initial release of that version was not affected.

Note You need to log in before you can comment on or make changes to this bug.