1. CVE-Search
  2. CVE-2015-1848
ID CVE-2015-1848
Summary The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag.
References
Vulnerable Configurations
  • cpe:2.3:a:fedora:pacemaker_configuration_system:0.9.137:*:*:*:*:*:*:*
    cpe:2.3:a:fedora:pacemaker_configuration_system:0.9.137:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_resilient_storage_eus:7.1:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_resilient_storage_eus:7.1:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_high_availability_eus:6.6.z:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_high_availability_eus:6.6.z:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_resilient_storage_eus:6.6.z:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_resilient_storage_eus:6.6.z:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_high_availability:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_high_availability:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_resilient_storage:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_resilient_storage:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_resilient_storage:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_resilient_storage:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_high_availability:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_high_availability:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_high_availability_eus:7.1:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_high_availability_eus:7.1:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 12-02-2023 - 23:15)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2015:0980
  • rhsa
    id RHSA-2015:0990
rpms
  • pcs-0:0.9.137-13.el7_1.2
  • pcs-debuginfo-0:0.9.137-13.el7_1.2
  • python-clufter-0:0.9.137-13.el7_1.2
  • pcs-0:0.9.123-9.el6_6.2
  • pcs-debuginfo-0:0.9.123-9.el6_6.2
refmap via4
bid 74623
confirm https://bugzilla.redhat.com/attachment.cgi?id=1009855
fedora
  • FEDORA-2015-8761
  • FEDORA-2015-8765
  • FEDORA-2015-8788
Last major update 12-02-2023 - 23:15
Published 14-05-2015 - 14:59
Last modified 12-02-2023 - 23:15
Back to Top