CVE-2015-8470Sensitive Information Exposure in Enterprise

CWE-200Sensitive Information Exposure3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 45.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Puppet Enterprise
Timeline
PublishedDec 11
Latest updateMay 13

Description

The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

NVDpuppet/puppet_enterprise3.7.03.7.2+2

🔴Vulnerability Details

2
GHSA
GHSA-q6x9-v42r-65c3: The console in Puppet Enterprise 32022-05-13
CVEList
CVE-2015-8470: The console in Puppet Enterprise 32017-12-11
CVE-2015-8470 — Sensitive Information Exposure | cvebase