CWE-614
AllowedSensitive Cookie in HTTPS Session Without 'Secure' Attribute
Abstraction: Variant · Status: Draft
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
115 vulnerabilities reference this CWE, most recent first.
GHSA-Q34C-V76Q-8JX6
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-10-27 19:00LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positioned to eavesdrop on the network traffic between the client and the server and the user must be tricked into using unencrypted HTTP traffic. Proper audit control and separation of duties limit Integrity impact of the attack vector. Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need to take action. As a workaround, users may configure their Apache or Nginx reverse proxy to add the Secure attribute at the network boundary instead of relying on LedgerSMB. For Apache, please refer to the 'Header always edit' configuration command in the mod_headers module. For Nginx, please refer to the 'proxy_cookie_flags' configuration command.
{
"affected": [],
"aliases": [
"CVE-2021-3882"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-14T09:15:00Z",
"severity": "MODERATE"
},
"details": "LedgerSMB does not set the \u0027Secure\u0027 attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can\u0027t access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positioned to eavesdrop on the network traffic between the client and the server *and* the user must be tricked into using unencrypted HTTP traffic. Proper audit control and separation of duties limit Integrity impact of the attack vector. Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don\u0027t need to take action. As a workaround, users may configure their Apache or Nginx reverse proxy to add the Secure attribute at the network boundary instead of relying on LedgerSMB. For Apache, please refer to the \u0027Header always edit\u0027 configuration command in the mod_headers module. For Nginx, please refer to the \u0027proxy_cookie_flags\u0027 configuration command.",
"id": "GHSA-q34c-v76q-8jx6",
"modified": "2022-10-27T19:00:38Z",
"published": "2022-05-24T19:17:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3882"
},
{
"type": "WEB",
"url": "https://github.com/ledgersmb/ledgersmb/commit/c242f5a2abf4b99b0da205473cbba034f306bfe2"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d"
},
{
"type": "WEB",
"url": "https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q48X-G537-F47G
Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-18 21:31A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session security and authentication state.
{
"affected": [],
"aliases": [
"CVE-2024-58317"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T20:15:53Z",
"severity": "MODERATE"
},
"details": "A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the \u0027requireSSL\u0027 attribute, potentially compromising session security and authentication state.",
"id": "GHSA-q48x-g537-f47g",
"modified": "2025-12-18T21:31:43Z",
"published": "2025-12-18T21:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58317"
},
{
"type": "WEB",
"url": "https://devnet.kentico.com/download/hotfixes"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/kentico-xperience-cookie-security-configuration"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QCW2-492V-57XJ
Vulnerability from github – Published: 2022-12-23 12:30 – Updated: 2023-01-02 20:22usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos prior to 0.9.0 is missing the Secure cookie attribute, making it vulnerable to session hijacking.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4683"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-319",
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-27T02:21:22Z",
"nvd_published_at": "2022-12-23T12:15:00Z",
"severity": "MODERATE"
},
"details": "usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos prior to 0.9.0 is missing the Secure cookie attribute, making it vulnerable to session hijacking.\n",
"id": "GHSA-qcw2-492v-57xj",
"modified": "2023-01-02T20:22:05Z",
"published": "2022-12-23T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4683"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/7efa749c6628c75b19a912ca170529f5c293bb2e"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/84973f6b-739a-4d7e-8757-fc58cbbaf6ef"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos missing Secure cookie attribute"
}
GHSA-QHX2-RHQQ-2WMM
Vulnerability from github – Published: 2024-06-11 12:31 – Updated: 2025-02-11 12:30A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server, after a successful login, sets the session cookie on the browser, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”).
{
"affected": [],
"aliases": [
"CVE-2024-35211"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T12:15:17Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions \u003c V1.2). The affected web server, after a successful login, sets the session cookie on the browser, without applying any security attributes (such as \u201cSecure\u201d, \u201cHttpOnly\u201d, or \u201cSameSite\u201d).",
"id": "GHSA-qhx2-rhqq-2wmm",
"modified": "2025-02-11T12:30:53Z",
"published": "2024-06-11T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35211"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-196737.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QJ6J-5MQ9-MGJ8
Vulnerability from github – Published: 2024-01-10 00:30 – Updated: 2024-01-10 00:30A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to sensitive cookie without secure attribute. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-250117 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-0349"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T23:15:09Z",
"severity": "LOW"
},
"details": "A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to sensitive cookie without secure attribute. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-250117 was assigned to this vulnerability.",
"id": "GHSA-qj6j-5mq9-mgj8",
"modified": "2024-01-10T00:30:23Z",
"published": "2024-01-10T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0349"
},
{
"type": "WEB",
"url": "https://mega.nz/file/TU1X3TIQ#7bPvxEP0KrdoDZVg-dqinNC5fEQrG5uu58jWzPGh904"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.250117"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.250117"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R3JQ-4R5C-J9HP
Vulnerability from github – Published: 2024-08-27 19:50 – Updated: 2025-01-21 18:28Summary
Session cookie is without Secure and HTTPOnly flags.
Details
Please take a look at this part of code (PoC screenshot) or check code directly (provided in Occurrences section below)
Occurrences: https://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67
Proposed remediation: add Secure and HTTPOnly flags for cookies.
It could be like this:
document.cookie = tprh=${tprh};path=/;Secure;HttpOnly;;
PoC
Screenshot:
Impact
Secure: This flag indicates that the cookie should only be sent over secure HTTPS connections. Without this flag, the cookie will be sent over both HTTP and HTTPS connections, which could expose it to interception or tampering if the connection is not secure. HttpOnly: This flag prevents the cookie from being accessed by client-side JavaScript. It helps mitigate certain types of attacks, such as cross-site scripting (XSS), by preventing malicious scripts from accessing the cookie's value.
References CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute https://cwe.mitre.org/data/definitions/614.html CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag - https://cwe.mitre.org/data/definitions/1004.html OWASP - Secure Cookie Attribute - https://owasp.org/www-community/controls/SecureCookieAttribute Cookie security flags - https://www.invicti.com/learn/cookie-security-flags/ Cookie lack Secure flag - https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag
Other: Title: Encrypting the Web URL: https://www.eff.org/encrypt-the-web
Update (Required advisory information) - added severity, resource: https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set
Best regards,
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.1"
},
"package": {
"ecosystem": "PyPI",
"name": "taipy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47833"
],
"database_specific": {
"cwe_ids": [
"CWE-1004",
"CWE-319",
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-27T19:50:59Z",
"nvd_published_at": "2024-10-09T19:15:14Z",
"severity": "MODERATE"
},
"details": "### Summary\nSession cookie is without Secure and HTTPOnly flags.\n\n### Details\nPlease take a look at this part of code (PoC screenshot) or check code directly (provided in Occurrences section below)\n\n**Occurrences**:\nhttps://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67\n\n**Proposed remediation:** add Secure and HTTPOnly flags for cookies.\n\nIt could be like this:\ndocument.cookie = `tprh=${tprh};path=/;Secure;HttpOnly;`;\n\n\n### PoC\n**Screenshot**:\n\n\n\n### Impact\n**Secure**: This flag indicates that the cookie should only be sent over secure HTTPS connections. Without this flag, the cookie will be sent over both HTTP and HTTPS connections, which could expose it to interception or tampering if the connection is not secure.\n**HttpOnly:** This flag prevents the cookie from being accessed by client-side JavaScript. It helps mitigate certain types of attacks, such as cross-site scripting (XSS), by preventing malicious scripts from accessing the cookie\u0027s value.\n\n**References**\n CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute https://cwe.mitre.org/data/definitions/614.html\n CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag - https://cwe.mitre.org/data/definitions/1004.html\n OWASP - Secure Cookie Attribute - https://owasp.org/www-community/controls/SecureCookieAttribute\n Cookie security flags - https://www.invicti.com/learn/cookie-security-flags/\n Cookie lack Secure flag - https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag\n\n**Other**:\nTitle: Encrypting the Web\nURL: https://www.eff.org/encrypt-the-web\n\nUpdate (Required advisory information) - added severity, resource: \nhttps://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set\n\nBest regards,",
"id": "GHSA-r3jq-4r5c-j9hp",
"modified": "2025-01-21T18:28:45Z",
"published": "2024-08-27T19:50:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47833"
},
{
"type": "PACKAGE",
"url": "https://github.com/Avaiga/taipy"
},
{
"type": "WEB",
"url": "https://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/taipy/PYSEC-2024-168.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Taipy has a Session Cookie without Secure and HTTPOnly flags"
}
GHSA-R74X-HFRH-MH6J
Vulnerability from github – Published: 2024-04-23 06:30 – Updated: 2024-04-23 06:30Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00.
{
"affected": [],
"aliases": [
"CVE-2024-2493"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-23T06:15:06Z",
"severity": "HIGH"
},
"details": "Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00.\n\n",
"id": "GHSA-r74x-hfrh-mh6j",
"modified": "2024-04-23T06:30:47Z",
"published": "2024-04-23T06:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2493"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-122/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RPX4-W2F7-Q5WW
Vulnerability from github – Published: 2025-01-27 06:30 – Updated: 2025-01-27 06:30A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions.
This issue affects:
-
OTRS 7.0.X
-
OTRS 8.0.X
- OTRS 2023.X
- OTRS 2024.X
{
"affected": [],
"aliases": [
"CVE-2025-24390"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T06:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions.\n\nThis issue affects: \n\n * OTRS 7.0.X\n\n * OTRS 8.0.X\n * OTRS 2023.X\n * OTRS 2024.X",
"id": "GHSA-rpx4-w2f7-q5ww",
"modified": "2025-01-27T06:30:26Z",
"published": "2025-01-27T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24390"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2025-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RQFJ-VV8R-XHQC
Vulnerability from github – Published: 2026-06-10 18:49 – Updated: 2026-06-10 18:49internal/web/session.go and internal/web/oidc.go set HttpOnly and SameSite=Lax on every cookie but never Secure. A single plaintext request to the origin (operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration) discloses the session.
Affected
All released versions up to v0.3.1.
Impact
An attacker who can observe one HTTP request to the origin recovers the session cookie and impersonates the operator for the remainder of its 24h TTL. The OIDC state cookie has a narrower 10-minute window but enables CSRF on the OIDC callback during that window.
Cookie sites
internal/web/session.go—Login,StartAuthenticatedSession,CompleteTwoFactor,Logoutinternal/web/oidc.go—HandleLogin(state set),HandleCallback(state clear)
Suggested fix
Driven by an explicit cookie_secure config option, inferred true when tls_cert+tls_key are configured and false otherwise. rate_limit.trust_proxy_header is deliberately not used as a signal — that flag controls XFF parsing for rate-limit IPs and does not promise the proxy speaks TLS to clients. Operator behind a TLS-terminating proxy sets cookie_secure: true explicitly.
Logout and OIDC state-clear cookies also pick up matching HttpOnly + SameSite=Lax so browsers reliably replace the original.
Reproducer
Start nebula-mgmt without tls_cert/tls_key (the documented "behind a reverse proxy" deployment). Hit any login flow over the local listener:
curl -i -X POST -d 'username=admin&password=…' http://127.0.0.1:8080/ui/login
The Set-Cookie: nebula_session=… line will lack Secure. A subsequent unencrypted hop reveals the cookie verbatim.
Operational migration
Operators flipping cookie_secure on a running deployment should expect a one-time logout: existing browser cookies have the old attribute set and the new delete-cookie won't match.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/juev/nebula-mesh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48058"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-10T18:49:22Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`internal/web/session.go` and `internal/web/oidc.go` set `HttpOnly` and `SameSite=Lax` on every cookie but never `Secure`. A single plaintext request to the origin (operator on a LAN, mistyped URL, HTTP\u2192HTTPS not strictly enforced, reverse proxy misconfiguration) discloses the session.\n\n## Affected\nAll released versions up to v0.3.1.\n\n## Impact\nAn attacker who can observe one HTTP request to the origin recovers the session cookie and impersonates the operator for the remainder of its 24h TTL. The OIDC state cookie has a narrower 10-minute window but enables CSRF on the OIDC callback during that window.\n\n## Cookie sites\n- `internal/web/session.go` \u2014 `Login`, `StartAuthenticatedSession`, `CompleteTwoFactor`, `Logout`\n- `internal/web/oidc.go` \u2014 `HandleLogin` (state set), `HandleCallback` (state clear)\n\n## Suggested fix\nDriven by an explicit `cookie_secure` config option, inferred true when `tls_cert`+`tls_key` are configured and false otherwise. `rate_limit.trust_proxy_header` is deliberately not used as a signal \u2014 that flag controls XFF parsing for rate-limit IPs and does not promise the proxy speaks TLS to clients. Operator behind a TLS-terminating proxy sets `cookie_secure: true` explicitly.\n\nLogout and OIDC state-clear cookies also pick up matching `HttpOnly` + `SameSite=Lax` so browsers reliably replace the original.\n\n## Reproducer\nStart `nebula-mgmt` without `tls_cert`/`tls_key` (the documented \"behind a reverse proxy\" deployment). Hit any login flow over the local listener:\n\n```\ncurl -i -X POST -d \u0027username=admin\u0026password=\u2026\u0027 http://127.0.0.1:8080/ui/login\n```\n\nThe `Set-Cookie: nebula_session=\u2026` line will lack `Secure`. A subsequent unencrypted hop reveals the cookie verbatim.\n\n## Operational migration\nOperators flipping `cookie_secure` on a running deployment should expect a one-time logout: existing browser cookies have the old attribute set and the new delete-cookie won\u0027t match.",
"id": "GHSA-rqfj-vv8r-xhqc",
"modified": "2026-06-10T18:49:22Z",
"published": "2026-06-10T18:49:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/juev/nebula-mesh/security/advisories/GHSA-rqfj-vv8r-xhqc"
},
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/commit/ffdd67dbf221d9a5855c39fbe11b49c245048d85"
},
{
"type": "PACKAGE",
"url": "https://github.com/juev/nebula-mesh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "nebula-mesh: Session and OIDC state cookies lack the Secure attribute"
}
GHSA-RQPH-25Q9-9JHP
Vulnerability from github – Published: 2022-07-08 00:00 – Updated: 2022-07-15 18:35In Openshift Origin the cookies being set in console have no 'secure', 'HttpOnly' attributes.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openshift/origin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-3207"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-08T19:20:02Z",
"nvd_published_at": "2022-07-07T13:15:00Z",
"severity": "MODERATE"
},
"details": "In Openshift Origin the cookies being set in console have no \u0027secure\u0027, \u0027HttpOnly\u0027 attributes.",
"id": "GHSA-rqph-25q9-9jhp",
"modified": "2022-07-15T18:35:26Z",
"published": "2022-07-08T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3207"
},
{
"type": "WEB",
"url": "https://github.com/openshift/origin/pull/2261"
},
{
"type": "WEB",
"url": "https://github.com/openshift/origin/pull/2291"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221882"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insecure cookies in Openshift Origin"
}
Mitigation
Always set the secure attribute when the cookie should be sent via HTTPS only.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.