RHACS Missing Security HTTP Headers Enable Clickjacking
CVE-2023-4958 Published on December 12, 2023

Stackrox: missing http security headers allows for clickjacking in web ui
In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-4958 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
LOW

Timeline

Reported to Red Hat.

Made public. 301 days later.

Weakness Type

What is a Clickjacking Vulnerability?

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.

CVE-2023-4958 has been classified to as a Clickjacking vulnerability or weakness.


Products Associated with CVE-2023-4958

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-4958 are published in Red Hat Advanced Cluster Security:

Red Hat Advanced Cluster Security
 

Affected Versions

Red Hat Advanced Cluster Security 4.2: Red Hat Advanced Cluster Security 3:

Exploit Probability

EPSS
0.03%
Percentile
9.25%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.