CVE-2019-14826

Опубликовано: 17 сент. 2019

Источник: redhat

CVSS3: 1.8

Описание

A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.

Отчет

In order to exploit this flaw, an attacker would need to obtain a user's session cookie after the user has logged out but before the server-side credential cache expires. Typically, this will not be possible because browsers protect the cookie while it is valid and delete it immediately as instructed by the server on logout. In order to be exposed to this vulnerability, one would need to be accessing FreeIPA in a non-standard fashion with an insecure web browser or a client application that stores and shares excessive debugging information. Most users of FreeIPA will not be at risk from this flaw.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 6	ipa	Not affected
Red Hat Enterprise Linux 7	ipa	Fix deferred
Red Hat Enterprise Linux 8	idm:client/ipa	Not affected
Red Hat Enterprise Linux 8	idm:DL1/ipa	Fix deferred
Red Hat Virtualization 4	redhat-virtualization-host	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-613

https://bugzilla.redhat.com/show_bug.cgi?id=1746944ipa: Session not terminated after logout

1.8 Low

CVSS3

Связанные уязвимости

CVE-2019-14826

CVSS3: 4.4

ubuntu

больше 6 лет назад

CVE-2019-14826

CVSS3: 4.4

nvd

больше 6 лет назад

CVE-2019-14826

CVSS3: 4.4

debian

больше 6 лет назад

A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies ...

GHSA-hwmm-p4j4-8398

CVSS3: 4.4

github

больше 3 лет назад

BDU:2020-02599

CVSS3: 6

fstec

больше 6 лет назад

Уязвимость сервера FreeIPA, связанная с неверным сроком действия сеанса, позволяющая нарушителю получить доступ к сеансу

1.8 Low

CVSS3