A flaw was found in openshift-ansible. OpenShift Container Platform (OCP) 3.11 is too permissive in the way it specified CORS allowed origins during installation. An attacker, able to man-in-the-middle the connection between the user’s browser and the openshift console, could use this flaw to perform a phishing attack. The main threat from this vulnerability is data confidentiality.
Ensure that the corsAllowedOrigin definition within master-config.yaml contains elements in the form
corsAllowedOrigins:
- ^(?i)https://my\.subdomain\.domain\.com(:|\z)
and not the form
corsAllowedOrigins:
- (?i)//my\.subdomain\.domain\.com(:|\z)
as the first will permit cross origin requests only if the host and protocol matches, whereas the second will permit a downgrade to http protocol for example.