[Forgot Password]
Login  Register Subscribe

30430

 
 

423868

 
 

247974

 
 

909

 
 

194654

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2010-3852Date: (C)2010-11-05   (M)2023-12-22


The default configuration of Luci 0.22.4 and earlier in Red Hat Conga uses "[INSERT SECRET HERE]" as its secret key for cookies, which makes it easier for remote attackers to bypass repoze.who authentication via a forged ticket cookie.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 6.4
Exploit Score: 10.0
Impact Score: 4.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: NONE
  
Reference:
SECUNIA-42113
SECUNIA-42123
BID-44611
OSVDB-69015
ADV-2010-2873
ADV-2010-2900
FEDORA-2010-16601
FEDORA-2010-16617
FEDORA-2010-16848
http://git.fedorahosted.org/git/?p=luci.git%3Ba=commit%3Bh=9e0bbf0c5faa198379d945474f7d55da5031cacf
https://bugzilla.redhat.com/show_bug.cgi?id=626504
luci-whoini-weak-security(62980)

CWE    1
CWE-287
OVAL    3
oval:org.secpod.oval:def:100775
oval:org.secpod.oval:def:100786
oval:org.secpod.oval:def:100970

© SecPod Technologies