ID CVE-2015-3983
Summary The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to different vulnerability types.
References
Vulnerable Configurations
  • cpe:2.3:a:fedora:pacemaker_configuration_system:0.9.137:*:*:*:*:*:*:*
    cpe:2.3:a:fedora:pacemaker_configuration_system:0.9.137:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 31-12-2016 - 02:59)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 1208294
    title CVE-2015-1848 CVE-2015-3983 pcs: improper web session variable signing
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment pcs is earlier than 0:0.9.137-13.el7_1.2
            oval oval:com.redhat.rhsa:tst:20150980001
          • comment pcs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20150980002
        • AND
          • comment python-clufter is earlier than 0:0.9.137-13.el7_1.2
            oval oval:com.redhat.rhsa:tst:20150980003
          • comment python-clufter is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20150980004
    rhsa
    id RHSA-2015:0980
    released 2015-05-12
    severity Important
    title RHSA-2015:0980: pcs security and bug fix update (Important)
  • bugzilla
    id 1208294
    title CVE-2015-1848 CVE-2015-3983 pcs: improper web session variable signing
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment pcs is earlier than 0:0.9.123-9.el6_6.2
        oval oval:com.redhat.rhsa:tst:20150990001
      • comment pcs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20150980002
    rhsa
    id RHSA-2015:0990
    released 2015-05-12
    severity Important
    title RHSA-2015:0990: pcs security and bug fix update (Important)
rpms
  • pcs-0:0.9.137-13.el7_1.2
  • pcs-debuginfo-0:0.9.137-13.el7_1.2
  • python-clufter-0:0.9.137-13.el7_1.2
  • pcs-0:0.9.123-9.el6_6.2
  • pcs-debuginfo-0:0.9.123-9.el6_6.2
refmap via4
bid 74682
confirm https://bugzilla.redhat.com/attachment.cgi?id=1009855
fedora
  • FEDORA-2015-8761
  • FEDORA-2015-8765
  • FEDORA-2015-8788
Last major update 31-12-2016 - 02:59
Published 14-05-2015 - 14:59
Last modified 31-12-2016 - 02:59
Back to Top