Clickjacking Vulnerability in Cockpit by Cockpit Project
CVE-2021-3660

4.3MEDIUM

Key Information:

Vendor

Cockpit-project

Status
Cockpit
Vendor
CVE Published:
7 March 2022

What is CVE-2021-3660?

Cockpit and its plugins lack adequate protections against clickjacking attacks, which allow an attacker to render pages from a Cockpit server within an on a malicious site. This vulnerability could enable exploitation through deceptive user interface behaviors, leading to unauthorized actions taken by users who are unaware they are interacting with a different site. Proper mitigation strategies should be employed to prevent misuse of this vulnerability.

Affected Version(s)

cockpit Fixed in cockpit v254 and later.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1980688
x_refsource_MISC
https://github.com/cockpit-project/cockpit/issues/16122
x_refsource_MISC
https://github.com/cockpit-project/cockpit/commit/8d9bc10...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.