OpenShift Container Platform (OCP) 3.11 was too permissive in the way it specified CORS allowed origins during installation. An attacker able to man-in-the-middle the connection between the user's browser and the openshift console could use this flaw to perform a phishing attack.
Mitigation: Ensure that the corsAllowedOrigin definition within master-config.yaml contains elements in the form ~~~ corsAllowedOrigins: - ^(?i)https://my\.subdomain\.domain\.com(:|\z) ~~~ and not the form ~~~ corsAllowedOrigins: - (?i)//my\.subdomain\.domain\.com(:|\z) ~~~ as the first will permit cross origin requests only if the host and protocol matches, whereas the second will permit a downgrade to http protocol for example.
Filed a bug to get the documentation updated: https://bugzilla.redhat.com/show_bug.cgi?id=1813799
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:3541 https://access.redhat.com/errata/RHSA-2020:3541
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1741