CVE-2019-3784

EPSS 0.18%
Veröffentlicht 07.03.2019 18:29:00
Zuletzt bearbeitet 21.11.2024 04:42:32
Quelle security_alert@emc.com
CVE-Watchlists
Login
Unerledigt
Login

Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cloudfoundry ≫ Stratos Version < 2.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.4

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N
security_alert@emc.com	8.2	1.8	5.8	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://www.cloudfoundry.org/blog/cve-2019-3784

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-3784

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-3784

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-3784

EUVD