Vulnerability Details : CVE-2021-3660
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Products affected by CVE-2021-3660
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:cockpit-project:cockpit:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3660
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3660
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2021-3660
-
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2021-3660
-
https://github.com/cockpit-project/cockpit/issues/16122
Is cockpit vulnerable to clickjacking? [CVE-2021-3660] · Issue #16122 · cockpit-project/cockpit · GitHubPatch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1980688
1980688 – (CVE-2021-3660) CVE-2021-3660 cockpit: pages vulnerable to clickjackingIssue Tracking;Third Party Advisory
-
https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10
common: Restrict frame embedding to same origin · cockpit-project/cockpit@8d9bc10 · GitHubPatch;Third Party Advisory
Jump to