First published: Mon Jan 27 2020(Updated: )
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Elastic Kibana | ||
Redhat Openshift Container Platform | =3.11.286 | |
Redhat Openshift Container Platform | =4.6.1 |
Any Kibana version with this commit [1] can add the following configuration option to mitigation the problem: config/kibana.yml: server.customResponseHeaders: {"x-frame-options":"deny"} or server.customResponseHeaders: {"x-frame-options":"sameorigin"} [1] https://github.com/elastic/kibana/pull/13045
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-10743 is a vulnerability discovered in OpenShift Container Platform's (OCP) distribution of Kibana that allows an attacker to intercept and manipulate requests through a clickjacking attack.
CVE-2020-10743 has a severity rating of low, with a severity value of 3.1.
CVE-2020-10743 affects OpenShift Container Platform's distribution of Kibana by allowing an attacker to trick a user into performing arbitrary actions in Kibana.
Yes, a fix for CVE-2020-10743 has been provided by the vendor. It is recommended to update to the latest version of OpenShift Container Platform's distribution of Kibana.
More information about CVE-2020-10743 can be found in the references provided: [GitHub Issue](https://github.com/gardener/gardener/issues/1860), [GitHub Issue](https://github.com/elastic/kibana/issues/52809), and [GitHub Pull Request](https://github.com/elastic/kibana/pull/13045).