CVE-2010-3852

Sažetak

The default configuration of Luci 0.22.4 and earlier in Red Hat Conga uses "[INSERT SECRET HERE]" as its secret key for cookies, which makes it easier for remote attackers to bypass repoze.who authentication via a forged ticket cookie.

Reference

http://www.securityfocus.com/bid/44611
http://secunia.com/advisories/42113
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050244.html
http://secunia.com/advisories/42123
http://www.vupen.com/english/advisories/2010/2873
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050246.html
https://bugzilla.redhat.com/show_bug.cgi?id=626504
http://osvdb.org/69015
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050309.html
http://www.vupen.com/english/advisories/2010/2900
https://exchange.xforce.ibmcloud.com/vulnerabilities/62980
http://git.fedorahosted.org/git/?p=luci.git%3Ba=commit%3Bh=9e0bbf0c5faa198379d945474f7d55da5031cacf

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:N

Zadnje važnije ažuriranje

13-02-2023 - 04:26

Objavljeno

06-11-2010 - 00:00