ALT-PU-2025-15780-2

Package update cockpit in branch c10f2

Version280.1-alt2

Published2025-12-17

Max severityHIGH

Severity:

Closed issues (3)

MEDIUM4.3

Уязвимость менеджера для серверов Cockpit, связанная с ошибками при отображении пользовательского интерфейса или фреймов, позволяющая нарушителю внедрить вредоносный код

Published: 2021-08-12Modified: 2023-11-10

CVSS 3.xMEDIUM 4.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

References

CVE-2021-3660

MEDIUM4.3

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.</h3><div class="cve-card-meta"><span><strong>Published:</strong> 2022-03-10</span><span><strong>Modified:</strong> 2024-11-21</span></div><div class="cve-card-cvss"><div class="cve-card-cvss-head"><div class="cvss-tabs"><span class="cvss-tab is-on">CVSS 2.0</span><span class="cvss-tab sev-fg-medium">MEDIUM 4.3</span></div><code class="cvss-vector-text">CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N</code></div></div><div class="cve-card-cvss"><div class="cve-card-cvss-head"><div class="cvss-tabs"><span class="cvss-tab is-on">CVSS 3.x</span><span class="cvss-tab sev-fg-medium">MEDIUM 4.3</span></div><code class="cvss-vector-text">CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N</code></div></div><div class="cve-card-refs"><div class="cve-card-refs-h">References</div><ul><li><svg width="11" height="11" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1980688" target="_blank" rel="noreferrer">https://bugzilla.redhat.com/show_bug.cgi?id=1980688</a></li><li><svg width="11" height="11" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg><a href="https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10" target="_blank" rel="noreferrer">https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10</a></li><li><svg width="11" height="11" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg><a href="https://github.com/cockpit-project/cockpit/issues/16122" target="_blank" rel="noreferrer">https://github.com/cockpit-project/cockpit/issues/16122</a></li><li><svg width="11" height="11" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1980688" target="_blank" rel="noreferrer">https://bugzilla.redhat.com/show_bug.cgi?id=1980688</a></li><li><svg width="11" height="11" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg><a href="https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10" target="_blank" rel="noreferrer">https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10</a></li><li><svg width="11" height="11" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg><a href="https://github.com/cockpit-project/cockpit/issues/16122" target="_blank" rel="noreferrer">https://github.com/cockpit-project/cockpit/issues/16122</a></li></ul></div></div></article><article class="cve-card cve-card-high" id="CVE-2021-3698" data-sev="HIGH"><div class="cve-card-rail sev-bg-high"></div><div class="cve-card-body"><header class="cve-card-head"><div class="cve-card-id-row"><a class="cve-card-id" href="https://nvd.nist.gov/vuln/detail/CVE-2021-3698" target="_blank" rel="noreferrer">CVE-2021-3698</a><button type="button" class="copy-btn" data-copy="CVE-2021-3698" aria-label="Copy"><svg width="13" height="13" viewBox="0 0 16 16" aria-hidden="true"><rect x="5" y="5" width="9" height="9" rx="1.5" fill="none" stroke="currentColor" stroke-width="1.5"/><path d="M3 11V3.5A1.5 1.5 0 0 1 4.5 2H11" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/></svg><span>CVE-2021-3698</span></button><a class="cve-card-permalink" href="#CVE-2021-3698" aria-label="Permalink"><svg width="13" height="13" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/></svg></a></div><div class="cve-card-badges"><span class="sev-badge sev-md sev-badge-high"><span class="sev-dot"></span><span class="sev-name">HIGH</span><span class="sev-score">7.5</span></span></div></header><h3 class="cve-card-title">A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.</h3><div class="cve-card-meta"><span><strong>Published:</strong> 2022-03-10</span><span><strong>Modified:</strong> 2024-11-21</span></div><div class="cve-card-cvss"><div class="cve-card-cvss-head"><div class="cvss-tabs"><span class="cvss-tab is-on">CVSS 2.0</span><span class="cvss-tab sev-fg-medium">MEDIUM 5.0</span></div><code class="cvss-vector-text">CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N</code></div></div><div class="cve-card-cvss"><div class="cve-card-cvss-head"><div class="cvss-tabs"><span class="cvss-tab is-on">CVSS 3.x</span><span class="cvss-tab sev-fg-high">HIGH 7.5</span></div><code class="cvss-vector-text">CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</code></div></div><div class="cve-card-refs"><div class="cve-card-refs-h">References</div><ul><li><svg width="11" height="11" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1992149" target="_blank" rel="noreferrer">https://bugzilla.redhat.com/show_bug.cgi?id=1992149</a></li><li><svg width="11" height="11" viewBox="0 0 16 16" aria-hidden="true"><path d="M7 9.5l-2 2a2.5 2.5 0 1 1-3.5-3.5l2-2M9 6.5l2-2a2.5 2.5 0 1 1 3.5 3.5l-2 2M5.5 10.5l5-5" fill="none" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1992149" target="_blank" rel="noreferrer">https://bugzilla.redhat.com/show_bug.cgi?id=1992149</a></li></ul></div></div></article></div></div></div></section><footer class="footer"><div class="footer-inner"><div class="footer-col"><span class="alt-logo"><img class="alt-logo-img" src="/static/main/image/altlinux-logo.svg" alt="ALT Linux Team" height="40"></span><p class="footer-text">errata.altlinux.org is an open source of errata bulletins for ALT Linux packages — security fixes, bugs and regressions. The site is statically generated.</p></div><div class="footer-col"><div class="footer-h">Links</div><a href="https://packages.altlinux.org" target="_blank" rel="noreferrer">packages.altlinux.org</a><a href="https://git.altlinux.org" target="_blank" rel="noreferrer">git.altlinux.org</a><a href="https://bugzilla.altlinux.org" target="_blank" rel="noreferrer">bugzilla.altlinux.org</a><a href="https://www.altlinux.org" target="_blank" rel="noreferrer">www.altlinux.org</a></div><div class="footer-col"><div class="footer-h">Community</div><a href="https://forum.altlinux.org/" target="_blank" rel="noreferrer">Forum</a><a href="https://altlinux.space/explore/repos" target="_blank" rel="noreferrer">git (altlinux.space)</a><a href="https://teleg.one/alt_linux" target="_blank" rel="noreferrer">Telegram</a><a href="https://vk.com/altlinux" target="_blank" rel="noreferrer">VKontakte</a></div><div class="footer-col"><div class="footer-h">About</div><a href="https://rdb.altlinux.org/api/errata/ids" target="_blank" rel="noreferrer">JSON API</a><a href="https://altlinux.space/ALTLinux/errata-genpages" target="_blank" rel="noreferrer">Source code</a></div></div><div class="footer-bottom"><span>© 2026 ALT Linux Team. Licensed under GNU AGPL v3.</span><span class="footer-meta">v2.2.0 · static site</span></div></footer></div></body></html>