Bug 1072151 - (CVE-2014-0090) CVE-2014-0090 Foreman: Session fixation
CVE-2014-0090 Foreman: Session fixation
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140324,reported=2...
: Security
Depends On: 1072161
Blocks: 1076333
  Show dependency treegraph
 
Reported: 2014-03-03 23:31 EST by Garth Mollett
Modified: 2016-04-26 12:04 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-04 18:22:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Garth Mollett 2014-03-03 23:31:48 EST
Jeremy Choi and Keqin Hong of the Red Hat HSS Pen-Test Team reported that under some circumstances foreman did not generate new session-id's for every login. This flaw could allow authentication to be bypassed through session fixation attacks.
Comment 2 Garth Mollett 2014-03-04 00:44:49 EST
Acknowledgements:

This issue was discovered by Jeremy Choi and Keqin Hong of the Red Hat HSS Pen-Test Team.
Comment 3 Garth Mollett 2014-03-24 18:21:29 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having Low security impact in Red Hat Enterprise Linux OpenStack Platform 3 and 4. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.