CVE-2014-9386

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.kb.cert.org/vuls/id/449452	Third Party Advisory US Government Resource
https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zenoss:zenoss_core::::::::
	cpe:2.3:a:zenoss:zenoss_core:2.4.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.4.5:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.5.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.5.1:::::::*
	cpe:2.3:a:zenoss:zenoss_core:2.5.2:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.0.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.0.1:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.0.2:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.0.3:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.1.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.2.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:3.2.1:::::::*
	cpe:2.3:a:zenoss:zenoss_core:4.2.0:::::::*
	cpe:2.3:a:zenoss:zenoss_core:4.2.3:::::::*
	cpe:2.3:a:zenoss:zenoss_core:4.2.4:::::::*

History

No history.

Information

Published : 2014-12-15 18:59

Updated : 2016-03-21 16:17

NVD link : CVE-2014-9386

Mitre link : CVE-2014-9386

CVE.ORG link : CVE-2014-9386

JSON object : View

Products Affected

zenoss

zenoss_core

CWE

NVD-CWE-Other

{"id": "CVE-2014-9386", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-12-15T18:59:28.630", "references": [{"url": "http://www.kb.cert.org/vuls/id/449452", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cret@cert.org"}, {"url": "https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing", "tags": ["Vendor Advisory"], "source": "cret@cert.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691."}, {"lang": "es", "value": "Zenoss Core anterior a 4.2.5 SP161 configura una vida infinita para la cookie de identificaci\u00f3n de la sesi\u00f3n, lo que facilita a atacantes remotos secuestrar sesiones mediante el aprovechamiento de una estaci\u00f3n de trabajo desatendida, tambi\u00e9n conocido como ZEN-12691."}], "lastModified": "2016-03-21T16:17:15.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zenoss:zenoss_core:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BEDDF5E-604E-4E5A-9F16-289CC9F042D6", "versionEndIncluding": "4.2.5"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:2.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81B69C06-16CA-4A73-8EF8-3E2103D14438"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:2.4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33BCBA94-31A9-4B0B-943D-8BB31B552B55"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:2.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CD24A2C-C0B5-43B3-8F8E-7E72FF8B65B5"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:2.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F73AE1C8-8EF9-4AD2-88A9-5108B0B64D8A"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:2.5.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4C24942-BE6F-4BDF-8642-4458229F8995"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:3.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BCCAE80F-40D6-44B4-8253-5A27B2A2E015"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:3.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "020D8B51-8378-4E4B-A72F-6B5C7ED9CEDD"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:3.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84FFAAE5-E7EC-40D7-8BEC-335FB6A9EA56"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:3.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE2CE264-118C-4EE1-9454-7940B6EE7704"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:3.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "498262F4-FDA2-4FAD-A45A-1C0EE87F83FB"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:3.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2CAD8E20-EB1E-49E7-9620-539749F125C3"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:3.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B696A404-81CD-4F97-9C45-4E0667685BCB"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:4.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6F74787-A72A-4C79-8682-91DD6BE85E78"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:4.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7803AA36-92DC-4362-AB99-99A06B1329EC"}, {"criteria": "cpe:2.3:a:zenoss:zenoss_core:4.2.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60BDF496-3032-48E2-AAE4-849488F308A8"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Addressed in versions 5.0, 4.2.5.SP273, and 4.2.4.SP854", "lastModified": "2016-03-21T12:17:15.147", "organization": "Zenoss"}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/384.html\" target=\"_blank\">CWE-384: Session Fixation</a>", "sourceIdentifier": "cret@cert.org"}