CVE-2021-3660UI Misrepresentation / Clickjacking in Cockpit

CWE-1021UI Misrepresentation / Clickjacking7 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 49.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Agentejo CockpitCockpit-project CockpitRedhat Enterprise Linux
Timeline
PublishedMar 10
Latest updateMar 11

Description

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

Debianagentejo/cockpit< 254-1+2
CVEListV5agentejo/cockpitFixed in cockpit v254 and later.
CVEListV5cockpit-project/cockpitFixed in cockpit v254 and later.

Also affects: Enterprise Linux 8.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-5m9v-2hhc-h2wj: Cockpit (and its plugins) do not seem to protect itself against clickjacking2022-03-11
OSV
CVE-2021-3660: Cockpit (and its plugins) do not seem to protect itself against clickjacking2022-03-10
CVEList
CVE-2021-3660: Cockpit (and its plugins) do not seem to protect itself against clickjacking2022-03-07

📋Vendor Advisories

3
Microsoft
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an <iFrame> HTML entry. This may be used 2022-03-08
Red Hat
cockpit: pages vulnerable to clickjacking2021-07-20
Debian
CVE-2021-3660: cockpit - Cockpit (and its plugins) do not seem to protect itself against clickjacking. It...2021
CVE-2021-3660 — UI Misrepresentation / Clickjacking | cvebase