CVE-2020-10743 - OpenCVE

It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elastic	Kibana
Redhat	Openshift Openshift Container Platform

Configuration 1 [-]

cpe:2.3:a:elastic:kibana:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:openshift_container_platform:3.11.286:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.6.1:::::::*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 3.11
openshift3/ose-logging-kibana5:v3.11.286-1	cpe:/a:redhat:openshift:3.11::el7	RHSA-2020:3727	2020-09-16T00:00:00Z
Red Hat OpenShift Container Platform 4.6
openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0	cpe:/a:redhat:openshift:4.6::el8	RHSA-2020:4298	2020-10-27T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1834550
https://nvd.nist.gov/vuln/detail/CVE-2020-10743
https://www.cve.org/CVERecord?id=CVE-2020-10743

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2021-06-02T10:54:17

Updated: 2024-08-04T11:14:14.983Z

Reserved: 2020-03-20T00:00:00

Link: CVE-2020-10743

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-06-02T11:15:07.897

Modified: 2023-02-12T23:39:08.747

Link: CVE-2020-10743

Redhat

Severity : Low

Publid Date: 2020-01-27T00:00:00Z

Links: CVE-2020-10743 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:-:*:*:*:*:*:*:*", "matchCriteriaId": "CFD0912E-5835-4B54-91F2-AE43E5D5D16F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11.286:*:*:*:*:*:*:*", "matchCriteriaId": "E4DA9462-5DBA-4947-AD7C-B824F35BA56C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "E9157B68-4D24-4F20-8A27-EA66F09FF834", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking."}, {"lang": "es", "value": "Se detect\u00f3 que la distribuci\u00f3n Kibana OpenShift Container Platform (OCP) pod\u00eda abrirse en un iframe, lo que permit\u00eda interceptar y manipular las peticiones. Este fallo permite a un atacante enga\u00f1ar a un usuario para llevar a cabo acciones arbitrarias en la distribuci\u00f3n de Kibana de OCP, como el clickjacking"}], "id": "CVE-2020-10743", "lastModified": "2023-02-12T23:39:08.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-02T11:15:07.897", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-358"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1021"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:3727", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-kibana5:v3.11.286-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2020-09-16T00:00:00Z"}, {"advisory": "RHSA-2020:4298", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2020-10-27T00:00:00Z"}], "bugzilla": {"description": "kibana: X-Frame-Option not set by default might lead to clickjacking", "id": "1834550", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-358", "details": ["It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.", "It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking."], "mitigation": {"lang": "en:us", "value": "Any Kibana version with this commit [1] can add the following configuration option to mitigation the problem:\nconfig/kibana.yml:\nserver.customResponseHeaders: {\"x-frame-options\":\"deny\"}\nor\nserver.customResponseHeaders: {\"x-frame-options\":\"sameorigin\"}\n[1] https://github.com/elastic/kibana/pull/13045"}, "name": "CVE-2020-10743", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-01-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10743\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10743"], "statement": "This CVE relates specifically to OpenShift Container Platform's distribution of Kibana. Upstream Kibana don't consider this a vulnerability, but may address this in a future version:\nhttps://github.com/elastic/kibana/issues/52809", "threat_severity": "Low"}