Bug 1249182 (CVE-2015-5183) - CVE-2015-5183 Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ
Summary: CVE-2015-5183 Console: HTTPOnly and Secure attributes not set on cookies in R...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5183
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1242522
TreeView+ depends on / blocked
 
Reported: 2015-07-31 18:23 UTC by Chess Hazlett
Modified: 2021-02-17 05:04 UTC (History)
10 users (show)

See Also:
Fixed In Version: Red Hat AMQ 6.3.R9
Doc Type: Bug Fix
Doc Text:
It was found that Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user.
Clone Of:
Environment:
Last Closed: 2020-06-25 17:20:23 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2840 0 None None None 2018-10-01 19:42:59 UTC
Red Hat Product Errata RHSA-2020:2751 0 None None None 2020-06-25 14:14:52 UTC
Red Hat Product Errata RHSA-2020:4154 0 None None None 2020-10-01 11:38:39 UTC
Red Hat Product Errata RHSA-2020:5365 0 None None None 2020-12-08 08:55:45 UTC

Description Chess Hazlett 2015-07-31 18:23:07 UTC
It was found that A-MQ's Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user.

Comment 2 Chess Hazlett 2015-12-06 16:55:00 UTC
Acknowledgements:

Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting this issue.

Comment 3 deepak.panda 2018-06-14 05:47:18 UTC
Is there any plans to resolve this issue?

Comment 4 errata-xmlrpc 2018-10-01 19:42:54 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2840 https://access.redhat.com/errata/RHSA-2018:2840

Comment 7 Product Security DevOps Team 2020-06-25 17:20:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-5183

Comment 9 Chess Hazlett 2020-07-06 22:23:00 UTC
Statement:

This flaw affects only the Red Hat AMQ Product, and does not impact Apache ActiveMQ.

Comment 11 errata-xmlrpc 2020-10-01 11:38:36 UTC
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:4154 https://access.redhat.com/errata/RHSA-2020:4154

Comment 12 errata-xmlrpc 2020-12-08 08:55:45 UTC
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:5365 https://access.redhat.com/errata/RHSA-2020:5365


Note You need to log in before you can comment on or make changes to this bug.