CVE-2023-4958 — UI Misrepresentation / Clickjacking in Redhat Advanced Cluster Security

CWE-1021 — UI Misrepresentation / Clickjacking CWE-77 — Command Injection4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 90.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Advanced Cluster Security

Timeline

PublishedDec 12

Description

In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDredhat/advanced_cluster_security3.0, 4.0+1

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

CVEList

Stackrox: missing http security headers allows for clickjacking in web ui↗2023-12-12

▶

GHSA

GHSA-2xrv-7wfr-fxj6: In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this↗2023-12-12

▶

📋Vendor Advisories

Red Hat

stackrox: Missing HTTP security headers allows for clickjacking in web UI↗2022-06-02

▶