CVE-2026-5119

Опубликовано: 30 мар. 2026

Источник: redhat

CVSS3: 5.9

Описание

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.

Отчет

Moderate impact. This flaw in libsoup allows sensitive session cookies to be transmitted in cleartext within the initial HTTP CONNECT request when establishing HTTPS tunnels through a configured HTTP proxy. A network-positioned attacker or a malicious HTTP proxy could intercept these cookies, potentially leading to session hijacking or user impersonation. This affects Red Hat Enterprise Linux systems configured to use an HTTP proxy for HTTPS connections.

Меры по смягчению последствий

To mitigate this issue, ensure that all HTTP proxies used for HTTPS tunnels are trusted and operate within a secure network. Avoid configuring applications to use untrusted HTTP proxies. If feasible, configure applications to bypass proxies for sensitive connections or utilize a secure proxy solution that encrypts the entire communication channel. A service restart or application reload may be required for changes to take effect.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 10	libsoup3	Fix deferred
Red Hat Enterprise Linux 6	libsoup	Out of support scope
Red Hat Enterprise Linux 7	libsoup	Fix deferred
Red Hat Enterprise Linux 8	libsoup	Fix deferred
Red Hat Enterprise Linux 9	libsoup	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-319

https://bugzilla.redhat.com/show_bug.cgi?id=2452932libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment

5.9 Medium

CVSS3