Bug 1693499 (CVE-2019-3889) - CVE-2019-3889 atomic-openshift: reflected XSS in authorization flow
Summary: CVE-2019-3889 atomic-openshift: reflected XSS in authorization flow
Status: NEW
Alias: CVE-2019-3889
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20190708,repor...
Keywords: Security
Depends On: 1694935 1695419 1695420 1695421 1695422 1695423 1695424
Blocks: 1693494
TreeView+ depends on / blocked
Reported: 2019-03-28 01:43 UTC by Jason Shepherd
Modified: 2019-07-08 01:33 UTC (History)
11 users (show)

Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Jason Shepherd 2019-03-28 01:43:02 UTC
A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform. An attacker could use this flaw to steal authorization data by getting them to click on a malicious link.

Comment 1 Jason Shepherd 2019-04-02 05:49:53 UTC

Name: Jeremy Choi (Red Hat)

Comment 4 Jason Shepherd 2019-04-03 05:23:29 UTC

Since the HTTP Response "Content Type" is "text/plain" most browsers won't execute any Javascipt in the response content. However if an attacker can trick a user into loading the response in an iFrame it is possible to exploit this vulnerability. Appropriate Cross Origin Resource (CORS) Allowed Domain configuration in OCP 3 should prevent an attacker from getting any response from a attacker hosted domain. Therefore make sure that corsAllowedDomains is specified correctly in your OCP 3 master-config.yaml. See [1] for more details on an issue with corsAllowedDomains in OCP 3.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1694913

Also content sniffing browsers [2] do execute Javascript even when the "Content Type" HTTP Response header is set to "text/plain".

[2] https://en.wikipedia.org/wiki/Content_sniffing

Note You need to log in before you can comment on or make changes to this bug.