CVE-2015-3155
published 2015-08-14CVE-2015-3155: Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this…
PriorityP423medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
2.22%
80.5th percentile
Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | <= 1.8.0 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
foreman: the _session_id cookie is issued without the Secure flag
vendor_redhat·2015-04-27·CVSS 5.0
CVE-2015-3155 [MEDIUM] foreman: the _session_id cookie is issued without the Secure flag
foreman: the _session_id cookie is issued without the Secure flag
Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
It was found that Foreman did not set the HttpOnly flag on session cookies. This could allow a malicious script to access the session cookie.
Package: foreman (OpenStack Foreman) - Will not fix
Package: foreman (Red Hat OpenStack Platform 4) - Will not fix
GHSA
GHSA-286g-52x6-9289: Foreman before 1
ghsa_unreviewed·2022-05-14
CVE-2015-3155 [MEDIUM] CWE-284 GHSA-286g-52x6-9289: Foreman before 1
Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
No detection rules found.
No public exploits indexed.
http://projects.theforeman.org/issues/10275https://access.redhat.com/errata/RHSA-2015:1591https://access.redhat.com/errata/RHSA-2015:1592https://bugzilla.redhat.com/show_bug.cgi?id=1216035https://github.com/theforeman/foreman/pull/2328https://groups.google.com/forum/#%21topic/foreman-announce/QPtN0h04jdohttp://projects.theforeman.org/issues/10275https://access.redhat.com/errata/RHSA-2015:1591https://access.redhat.com/errata/RHSA-2015:1592https://bugzilla.redhat.com/show_bug.cgi?id=1216035https://github.com/theforeman/foreman/pull/2328https://groups.google.com/forum/#%21topic/foreman-announce/QPtN0h04jdo
2015-08-14
Published