Uploaded image for project: 'EXASOL Roadmap'
  1. EXASOL Roadmap
  2. EXASOL-2903

Insufficient default settings for security relevant HTTP response headers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Exasol 6.2.0, Exasol 7.0.0, Exasol 7.1.beta1
    • Component/s: None
    • Labels:
      None

      Description

      Vulnerability

      Due to insufficient defaults being used for some security-relevant HTTP response headers, Exaoperaton was vulnerable to clickjacking attacks.

      If a user that is logged into Exaoperation would interact with a malicious website, the website could interact with Exaoperation using the users credentials.

      Workaround

      We recommend an immediate update to remedy the issue.

      Additionally, we recommend to only log into Exaoperation when needed and log out afterwards or use a secondary browser profile that is only used to interact with Exaoperation.

      Fix

      The relevant default settings for HTTP response headers were strengthened to align with security best practices. Additionally, more defenses against XSS attacks were implemented.

        Attachments

          Activity

            People

            Assignee:
            CaptainEXA Captain EXASOL
            Reporter:
            CaptainEXA Captain EXASOL
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: