{"containers": {"cna": {"affected": [{"product": "Kibana", "vendor": "n/a", "versions": [{"status": "affected", "version": "OpenShift Container Platform 3.11.286 and OpenShift Container Platform 4.6.1"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-358", "description": "CWE-358", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-02T10:54:17", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:14.983Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10743", "datePublished": "2021-06-02T10:54:17", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:14.983Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:-:*:*:*:*:*:*:*", "matchCriteriaId": "CFD0912E-5835-4B54-91F2-AE43E5D5D16F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11.286:*:*:*:*:*:*:*", "matchCriteriaId": "E4DA9462-5DBA-4947-AD7C-B824F35BA56C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "E9157B68-4D24-4F20-8A27-EA66F09FF834", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking."}, {"lang": "es", "value": "Se detect\u00f3 que la distribuci\u00f3n Kibana OpenShift Container Platform (OCP) pod\u00eda abrirse en un iframe, lo que permit\u00eda interceptar y manipular las peticiones. Este fallo permite a un atacante enga\u00f1ar a un usuario para llevar a cabo acciones arbitrarias en la distribuci\u00f3n de Kibana de OCP, como el clickjacking"}], "id": "CVE-2020-10743", "lastModified": "2024-11-21T04:55:58.640", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-02T11:15:07.897", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-358"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1021"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:3727", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-kibana5:v3.11.286-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2020-09-16T00:00:00Z"}, {"advisory": "RHSA-2020:4298", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2020-10-27T00:00:00Z"}], "bugzilla": {"description": "kibana: X-Frame-Option not set by default might lead to clickjacking", "id": "1834550", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-358", "details": ["It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.", "It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking."], "mitigation": {"lang": "en:us", "value": "Any Kibana version with this commit [1] can add the following configuration option to mitigation the problem:\nconfig/kibana.yml:\nserver.customResponseHeaders: {\"x-frame-options\":\"deny\"}\nor\nserver.customResponseHeaders: {\"x-frame-options\":\"sameorigin\"}\n[1] https://github.com/elastic/kibana/pull/13045"}, "name": "CVE-2020-10743", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-01-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10743\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10743"], "statement": "This CVE relates specifically to OpenShift Container Platform's distribution of Kibana. Upstream Kibana don't consider this a vulnerability, but may address this in a future version:\nhttps://github.com/elastic/kibana/issues/52809", "threat_severity": "Low"}