CVE-2023-4958

MEDIUM 6.1

Stackrox: missing http security headers allows for clickjacking in web ui

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.

CWE	CWE-1021
Vendor	red hat
Product	red hat advanced cluster security 4.2
Published	Dec 12, 2023
Last Updated	Aug 2, 2024

Stay Ahead of the Next One

Get instant alerts for red hat red hat advanced cluster security 4.2

Be the first to know when new medium vulnerabilities affecting red hat red hat advanced cluster security 4.2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

Low

Affected Versions

Red Hat / Red Hat Advanced Cluster Security 4.2

All versions affected

Red Hat / Red Hat Advanced Cluster Security 3

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2023:5206 access.redhat.com: https://access.redhat.com/security/cve/CVE-2023-4958 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=1990363

Credits

This issue was discovered by Jeremy Choi (Red Hat Product Security).