CVE-2015-1848

CWE-310 CWE-3477 documents6 sources

Severity

6.8MEDIUM

EPSS

1.2%

top 21.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedora Pacemaker Configuration System Redhat Enterprise Linux High Availability Redhat Enterprise Linux High Availability EUS +2 more

Timeline

PublishedMay 14

Latest updateMay 17

Description

The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶NVDfedora/pacemaker_configuration_system0.9.137

▶NVDredhat/enterprise_linux_high_availability4 versions+3

▶NVDredhat/enterprise_linux_resilient_storage4 versions+3

🔴Vulnerability Details

GHSA

GHSA-wqr4-6q63-33fp: The pcs daemon (pcsd) in PCS 0↗2022-05-17

▶

CVEList

CVE-2015-1848: The pcs daemon (pcsd) in PCS 0↗2015-05-14

▶

📋Vendor Advisories

Red Hat

pcs: improper web session variable signing↗2015-05-12

▶

Red Hat

pcs: improper web session variable signing↗2015-05-12

▶

Debian

CVE-2015-1848: pcs - The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag fo...↗2015

▶

💬Community

Bugzilla

CVE-2015-1848 CVE-2015-3983 pcs: improper web session variable signing↗2015-04-01

▶