CVE-2021-3660

Publication date 10 March 2022

Last updated 7 April 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

4.3 · Medium

Score breakdown

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

Status

Package Ubuntu Release Status
cockpit 24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic Ignored end of life, was not-affected
23.04 lunar Ignored end of life, was not-affected
22.10 kinetic Ignored end of life, was not-affected
22.04 LTS jammy
Not affected
21.10 impish Ignored end of life
21.04 hirsute Ignored end of life
20.04 LTS focal
Vulnerable
18.04 LTS bionic
Vulnerable
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
cockpit

Severity score breakdown

Parameter Value
Base score 4.3 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N