CVE-2014-9386

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing	Vendor Advisory
http://www.kb.cert.org/vuls/id/449452	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zenoss:zenoss_core:3.0.2:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.4.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.1.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.5.2:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.2.1:::::::*
	cpe:2.3:a:zenoss:zenoss_core:4.2.4:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.4.5:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.5.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.5.1:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.2.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:4.2.3:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.0.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.0.1:::::::*
	cpe:2.3:a:zenoss:zenoss_core::::::::
	cpe:2.3:a:zenoss:zenoss_core:4.2.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.0.3:::::::*

History

No history.

Information

Published : 2014-12-15 18:59

Updated : 2016-03-21 16:17

NVD link : CVE-2014-9386

Mitre link : CVE-2014-9386

JSON object : View

Products Affected

zenoss

zenoss_core

CWE

NVD-CWE-Other

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing", "name": "https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.kb.cert.org/vuls/id/449452", "name": "VU#449452", "tags": ["Third Party Advisory", "US Government Resource"], "refsource": "CERT-VN"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-9386", "ASSIGNER": "cert@cert.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2014-12-15T18:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:3.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:2.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:3.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:2.5.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:3.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:4.2.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:2.4.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:2.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:2.5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:3.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:4.2.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:3.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:3.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "4.2.5"}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:4.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zenoss:zenoss_core:3.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2016-03-21T16:17Z"}