BDU:2021-04029

Уязвимость менеджера для серверов Cockpit, связанная с ошибками при отображении пользовательского интерфейса или фреймов, позволяющая нарушителю внедрить вредоносный код

Severity: MEDIUM (4.3) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

CVE-2021-3660

Published: 2022-03-10
Modified: 2024-11-21

CVE-2021-3660

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.</p> <div class="pf-l-level pf-m-gutter"> <div class="pf-l-level__item"> <span class="pf-c-label pf-m-outline" style="--pf-c-label--BorderRadius: 0px; --pf-c-label--BackgroundColor: #FFA500; --pf-c-label__content--Color: #000000"> <span class="pf-c-label__content pf-u-font-size-sm">Severity: MEDIUM (4.3)</span> </span> <span class="pf-c-label pf-m-outline" style="--pf-c-label--BorderRadius: 0px; --pf-c-label--BackgroundColor: white; --pf-c-label__content--Color: black"> <span class="pf-c-label__content pf-u-font-size-sm">Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N</span> </span> </div> </div> </div> </div> <div class="pf-c-card__title">References:</div> <div class="pf-c-card__body pf-u-pl-xs pf-u-pr-xs pf-u-pl-md-on-xl pf-u-pr-md-on-xl"> <ul class="pf-c-list"> <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1980688">https://bugzilla.redhat.com/show_bug.cgi?id=1980688</a></li> <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1980688">https://bugzilla.redhat.com/show_bug.cgi?id=1980688</a></li> <li><a href="https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10">https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10</a></li> <li><a href="https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10">https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10</a></li> <li><a href="https://github.com/cockpit-project/cockpit/issues/16122">https://github.com/cockpit-project/cockpit/issues/16122</a></li> <li><a href="https://github.com/cockpit-project/cockpit/issues/16122">https://github.com/cockpit-project/cockpit/issues/16122</a></li> </ul> </div> </div> <div class="pf-c-card"> <div class="pf-c-card__header"> <div class="pf-c-card__actions pf-m-no-offset"> <div class="pf-u-font-size-sm"> Published: 2022-03-10<br> Modified: 2024-11-21 </div> </div> <h1 class="pf-c-title pf-m-2xl" id="card-action-no-offset-check-label" style="--pf-c-content--h1--MarginTop: 0px"> <a href=https://nvd.nist.gov/vuln/detail/CVE-2021-3698 id="CVE-2021-3698">CVE-2021-3698</a> </h1> </div> <div class="pf-c-card__body pf-u-pl-xs pf-u-pr-xs pf-u-pl-md-on-xl pf-u-pr-md-on-xl"> <div class="pf-c-content pf-u-p-md pf-u-p-0-on-xl"> <p>A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.</p> <div class="pf-l-level pf-m-gutter"> <div class="pf-l-level__item"> <span class="pf-c-label pf-m-outline" style="--pf-c-label--BorderRadius: 0px; --pf-c-label--BackgroundColor: #FF0000; --pf-c-label__content--Color: #FFFFFF"> <span class="pf-c-label__content pf-u-font-size-sm">Severity: HIGH (7.5)</span> </span> <span class="pf-c-label pf-m-outline" style="--pf-c-label--BorderRadius: 0px; --pf-c-label--BackgroundColor: white; --pf-c-label__content--Color: black"> <span class="pf-c-label__content pf-u-font-size-sm">Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span> </span> </div> </div> </div> </div> <div class="pf-c-card__title">References:</div> <div class="pf-c-card__body pf-u-pl-xs pf-u-pr-xs pf-u-pl-md-on-xl pf-u-pr-md-on-xl"> <ul class="pf-c-list"> <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1992149">https://bugzilla.redhat.com/show_bug.cgi?id=1992149</a></li> <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1992149">https://bugzilla.redhat.com/show_bug.cgi?id=1992149</a></li> </ul> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </section> <section class="pf-c-page__main-section pf-m-no-fill" style="background-color: var(--pf-global--BackgroundColor--100);"> <div class="pf-l-grid pf-u-py-xl-on-sm pf-u-py-0-on-md pf-u-align-items-center pf-u-font-size-md"> <div class="pf-l-grid__item pf-m-12-col pf-m-9-col-on-lg"> <div class="pf-l-flex"> <a class="pf-l-flex__item pf-u-mr-sm" href="https://vk.com/altlinux" target="_blank">VKontakte</a> <span class="pf-l-flex__item pf-u-mr-sm">|</span> <a class="pf-l-flex__item pf-u-mr-sm" href="https://teleg.one/alt_linux" target="_blank">Telegram</a> <span class="pf-l-flex__item pf-u-mr-sm">|</span> <a class="pf-l-flex__item pf-u-mr-sm" href="https://www.youtube.com/channel/UCtCfzqL49AkFYQ7JQcL_iSw" target="_blank">YouTube</a> <span class="pf-l-flex__item pf-u-mr-sm">|</span> <a class="pf-l-flex__item pf-u-mr-sm" href="https://forum.altlinux.org/" target="_blank">Forum</a> <span class="pf-l-flex__item pf-u-mr-sm">|</span> <a class="pf-l-flex__item pf-u-mr-sm" href="https://github.com/altlinux" target="_blank">GitHub</a> <span class="pf-l-flex__item pf-u-mr-sm">|</span> <a class="pf-l-flex__item pf-u-mr-sm" href="https://bugzilla.altlinux.org/" target="_blank">Bugzilla</a> </div> </div> <div class="pf-l-grid__item pf-m-12-col pf-m-3-col-on-lg"> <span class="ws-org-pfsite-site-copyright"> <span>Version: 2.1.0 </span> </span> </div> </div> </section> </div> </div> </div> </section> <div class="pf-c-back-to-top pf-m-hidden" style="z-index: 999;"> <a class="pf-c-button pf-m-warning" id="pf-c-back-to-top">Back to top <span class="pf-c-button__icon pf-m-end"> <i class="fas fa-angle-up" aria-hidden="true"></i> </span> </a> </div> </main> <div class="pf-c-popover" role="dialog"></div> </div> </body> </html>

Package cockpit update in sisyphus_mipsel on 2022-11-30

ALT-PU-2022-7261-1

Closed vulnerabilities

BDU:2021-04029

CVE-2021-3660