CVE-2009-4655 - The dhost web service in Novell eDirectory 8.8.5 uses a predictable session cookie, which makes it e

CVE-2009-4655

Summary

The dhost web service in Novell eDirectory 8.8.5 uses a predictable session cookie, which makes it easier for remote attackers to hijack sessions via a modified cookie.

References

Vulnerable Configurations

cpe:2.3:a:novell:edirectory:8.8.5:*:*:*:*:*:*:*
cpe:2.3:a:novell:edirectory:8.8.5:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 17-08-2017 - 01:31)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

misc	http://www.metasploit.com/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb
osvdb	60035
xf	edirectory-dhost-session-hijacking(56613)

Last major update

17-08-2017 - 01:31

Published

26-02-2010 - 18:30

Last modified

17-08-2017 - 01:31