CVE-2020-10715: Input Validation
First published: Thu Oct 31 2019(Updated: )
A content spoofing vulnerability was found in the openshift/console 3.11 and 4.x. This flaw allows an attacker to craft a URL and inject arbitrary text onto the error page that appears to be from the OpenShift instance. This attack could potentially convince a user that the inserted text is legitimate.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/atomic-openshift-web-console | <0:3.11.248-1.git.1.cc96c2d.el7 | 0:3.11.248-1.git.1.cc96c2d.el7 |
| redhat/openshift/origin-web-console | <2 | 2 |
| Redhat Openshift | >=4.0<=4.3.5 | |
| Redhat Openshift | =3.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1767665
- https://github.com/openshift/origin-web-console/pull/3173
- https://www.owasp.org/index.php/Content_Spoofing
- https://github.com/spadgett/console/blob/d390194f13bab8175e42eaf5a077a220b538624f/frontend/public/components/error.tsx#L33-L44
- https://access.redhat.com/errata/RHSA-2020:2992
- https://access.redhat.com/security/cve/cve-2020-10715
- https://access.redhat.com/errata/RHSA-2020:4298
- https://www.cve.org/CVERecord?id=CVE-2020-10715 https://nvd.nist.gov/vuln/detail/CVE-2020-10715
- collector/redhat-cve
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-10715
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/redhat openshift
- version/redhat openshift/4.0
- version/redhat openshift/4.3.5
- version/redhat openshift/3.11