Operational Defect Database
BugZero updated this defect 45 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
VMware | 97205
Security scanner reports insecure configurations of HTTP response header fields
Last update date:
4/4/2024
Affected products:
Cloud Director for Service Provider
Cloud Director
Affected releases:
10.x
Fixed releases:
No fixed releases provided.
Description:
Details
Security scanner report the header in Cloud Director UI is too permissible.Content-Security-Policy-header missing unsafe-inline and unsafe-eval in the default-src- and script-src definitions.In the Content-Security-Policy the following values were found for default-src and script-src parameters: unsafe-inlineunsafe-eval Example of the security report below: Content-Security-Policy reports the : default-src * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline'; The solution suggested to establish a Content Security Policy is to first set the default-src to 'self' or ‘none’ and then build up the other directives as needed.
Solution
This is a known issue with Cloud Director and requires a product change.VMware Engineering plan on addressing this in a future release of Cloud Director.
