Uploaded image for project: 'EXASOL Roadmap'
  1. EXASOL Roadmap
  2. EXASOL-2903

Insufficient default settings for security relevant HTTP response headers

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Exasol 6.2.0, Exasol 7.0.0, Exasol 7.1.beta1
    • Component/s: None
    • Labels:
      None

      Description

      Vulnerability

      Due to insufficient defaults being used for some security-relevant HTTP response headers, Exaoperaton was vulnerable to clickjacking attacks.

      If a user that is logged into Exaoperation would interact with a malicious website, the website could interact with Exaoperation using the users credentials.

      Workaround

      We recommend an immediate update to remedy the issue.

      Additionally, we recommend to only log into Exaoperation when needed and log out afterwards or use a secondary browser profile that is only used to interact with Exaoperation.

      Fix

      The relevant default settings for HTTP response headers were strengthened to align with security best practices. Additionally, more defenses against XSS attacks were implemented.

        Attachments

          Activity

            People

            • Assignee:
              CaptainEXA Captain EXASOL
              Reporter:
              CaptainEXA Captain EXASOL
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: