Описание
Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
It was found that Foreman did not set the HttpOnly flag on session cookies. This could allow a malicious script to access the session cookie.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenStack Foreman | foreman | Will not fix | ||
| Red Hat OpenStack Platform 4 | foreman | Will not fix | ||
| Red Hat Satellite 6.1 | aopalliance | Fixed | RHSA-2015:1592 | 12.08.2015 |
| Red Hat Satellite 6.1 | apache-commons-codec-eap6 | Fixed | RHSA-2015:1592 | 12.08.2015 |
| Red Hat Satellite 6.1 | apache-mime4j | Fixed | RHSA-2015:1592 | 12.08.2015 |
| Red Hat Satellite 6.1 | atinject | Fixed | RHSA-2015:1592 | 12.08.2015 |
| Red Hat Satellite 6.1 | bouncycastle | Fixed | RHSA-2015:1592 | 12.08.2015 |
| Red Hat Satellite 6.1 | c3p0 | Fixed | RHSA-2015:1592 | 12.08.2015 |
| Red Hat Satellite 6.1 | candlepin | Fixed | RHSA-2015:1592 | 12.08.2015 |
| Red Hat Satellite 6.1 | candlepin-common | Fixed | RHSA-2015:1592 | 12.08.2015 |
Показывать по
Дополнительная информация
Статус:
2.6 Low
CVSS2
Связанные уязвимости
Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
Foreman before 1.8.1 does not set the secure flag for the _session_id ...
Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
2.6 Low
CVSS2