CVE-2012-3359 — Redhat Enterprise Linux vulnerability

CWE-2558 documents4 sources

Severity

3.7LOWNVD

EPSS

0.1%

top 80.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Enterprise Linux

Timeline

PublishedMar 31

Latest updateMay 17

Description

Luci in Red Hat Conga stores the user's username and password in a Base64 encoded string in the __ac session cookie, which allows attackers to gain privileges by accessing this cookie. NOTE: this issue has been SPLIT due to different vulnerability types. Use CVE-2013-7347 for the incorrect enforcement of a user timeout.

CVSS vector

AV:L/AC:H/C:P/I:P/A:PExploitability: 1.9 | Impact: 6.4

Affected Packages0 packages

Also affects: Enterprise Linux 5

🔴Vulnerability Details

GHSA

GHSA-865x-x787-2cjj: Luci in Red Hat Conga stores the user's username and password in a Base64 encoded string in the __ac session cookie, which allows attackers to gain pr↗2022-05-17

▶

GHSA

GHSA-9fpf-6wcx-rjjm: Luci in Red Hat Conga does not properly enforce the user session timeout, which might allow attackers to gain access to the session by reading the __a↗2022-05-17

▶

📋Vendor Advisories

Red Hat

conga: insecure handling of luci web interface sessions↗2013-01-07

▶

Red Hat

conga: insecure handling of luci web interface sessions↗2013-01-07

▶

Red Hat

kernel: b43: allocate receive buffers big enough for max frame len + offset↗2011-03-27

▶

💬Community

Bugzilla

CVE-2012-3359 CVE-2013-7347 conga: insecure handling of luci web interface sessions↗2010-06-23

▶