CVE-2013-7347 — Redhat Enterprise Linux vulnerability

CWE-2557 documents4 sources

Severity

3.7LOWNVD

EPSS

0.1%

top 80.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Enterprise Linux

Timeline

PublishedMar 31

Latest updateMay 17

Description

Luci in Red Hat Conga does not properly enforce the user session timeout, which might allow attackers to gain access to the session by reading the __ac session cookie. NOTE: this issue has been SPLIT due to different vulnerability types. Use CVE-2012-3359 for the base64-encoded storage of the user and password in a cookie.

CVSS vector

AV:L/AC:H/C:P/I:P/A:PExploitability: 1.9 | Impact: 6.4

Affected Packages0 packages

Also affects: Enterprise Linux 5

🔴Vulnerability Details

GHSA

GHSA-865x-x787-2cjj: Luci in Red Hat Conga stores the user's username and password in a Base64 encoded string in the __ac session cookie, which allows attackers to gain pr↗2022-05-17

▶

GHSA

GHSA-9fpf-6wcx-rjjm: Luci in Red Hat Conga does not properly enforce the user session timeout, which might allow attackers to gain access to the session by reading the __a↗2022-05-17

▶

📋Vendor Advisories

Red Hat

conga: insecure handling of luci web interface sessions↗2013-01-07

▶

Red Hat

conga: insecure handling of luci web interface sessions↗2013-01-07

▶

💬Community

Bugzilla

CVE-2012-3359 CVE-2013-7347 conga: insecure handling of luci web interface sessions↗2010-06-23

▶