Simple understanding of HTTP Method Override vulnerability for OCP users

Solution Verified - Updated -

Issue

  • Is OCP console safe from this vulnerability?
  • HTTP Method Override allows clients to bypass HTTP method restrictions by using headers like X-HTTP-Method, X-HTTP-Method-Override, X-Method-Override, or query parameters like _method. Allowing attackers to perform restricted actions (like PUT, DELETE, etc).
  • The attack request uses a trusted HTTP verb such as GET or POST, but adds request headers such as X-HTTP-Method, X-HTTP-Method-Override, X-Method-Override, or a query parameter such as _method to provide a restricted verb such as PUT or DELETE. Such request is then interpreted by the target application using the verb in the request header instead of the actual HTTP verb.

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
  • OCP Console

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content