PT-2016-5666 · Red Hat · Red Hat Openshift Enterprise
Jordan Liggitt
·
Published
2016-06-08
·
Updated
2023-02-12
·
CVE-2016-3703
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Red Hat OpenShift Enterprise versions 3.1 through 3.2
Description
The issue arises from improper validation of the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod. This allows remote attackers to access API credentials in the web browser localStorage via an access token in the query parameter.
Recommendations
For Red Hat OpenShift Enterprise versions 3.1 through 3.2, consider restricting anonymous access to service/proxy or pod/proxy APIs to minimize the risk of exploitation. As a temporary workaround, restrict access to the localStorage and ensure proper validation of request origins to prevent unauthorized access to API credentials.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Hat Openshift Enterprise