CVE-2019-3876: CSRF
First published: Wed Mar 20 2019(Updated: )
## Withdrawn Advisory This advisory has been withdrawn because the vulnerability does not affect a package in one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). This link is maintained to preserve external references. ## Original Description A flaw was found in the `/oauth/token/request` custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. If not otherwise prevented, a separate XSS vulnerability via JavaScript could further allow for the extraction of these tokens.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/openshift/oauth-apiserver | >=3.0<3.11 | 3.11 |
| redhat/atomic-openshift | <0:3.11.129-1.git.0.bd4f2d5.el7 | 0:3.11.129-1.git.0.bd4f2d5.el7 |
| redhat/jenkins | <2-plugins-0:3.11.1560870549-1.el7 | 2-plugins-0:3.11.1560870549-1.el7 |
| Redhat Openshift Container Platform | >=3.0<=3.11 |
Remedy
Since at least v3.4, the OpenShift documentation [1] has specified the format for corsAllowedOrigins to accurately match intended hostnames. Since at least v3.7, installs will default to use the correct regular expression formatted variables. Earlier versions may be configured with plain strings, a configuration which will persist across cluster upgrades, opening them to cross origin vulnerabilities such as this. At a minimum, you should ensure that the corsAllowedOrigin definition within master-config.yaml contains elements in the form ~~~ corsAllowedOrigins: - (?i)//my\.subdomain\.domain\.com(:|\z) ~~~ and not the form ~~~ corsAllowedOrigins: - domain.com ~~~ as the first will permit cross origin requests only if the host matches exactly, whereas the second will permit from any host that merely contains the string (such as ABCDdomain.com or even domain.comABCD.com). Footnotes: [1] https://docs.openshift.com/container-platform/3.4/architecture/infrastructure_components/web_console.html#corsAllowedOrigins
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-3876
- https://access.redhat.com/errata/RHSA-2019:1851
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3876
- https://access.redhat.com/security/cve/CVE-2019-3876
- https://bugzilla.redhat.com/show_bug.cgi?id=1691107
- https://web.archive.org/web/20210126211309/http://www.securityfocus.com/bid/107664
- https://github.com/advisories/GHSA-jgwg-35hf-xqrr (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2019-3876 https://nvd.nist.gov/vuln/detail/CVE-2019-3876
- https://access.redhat.com/security/cve/cve-2019-3876
- http://www.securityfocus.com/bid/107664
- https://access.redhat.com/security/updates/classification/
- https://docs.openshift.com/container-platform/3.4/architecture/infrastructure_components/web_console.html#corsAllowedOrigins
- collector/github-advisory-latest
- alias/GHSA-jgwg-35hf-xqrr
- alias/CVE-2019-3876
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/severity
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/go
- package-manager/redhat
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.0
- version/redhat openshift container platform/3.11