CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2818 – Improper Removal of Sensitive Information Before Storage or Transfer in cockpit-hq/cockpit
https://notcve.org/view.php?id=CVE-2022-2818
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2. Una Omisión de Autenticación por Debilidad Primaria en el repositorio de GitHub cockpit-hq/cockpit versiones anteriores a 2.2.2. • https://github.com/cockpit-hq/cockpit/commit/4bee1b903ee20818f4a8ecb9d974b9536cc54cb4 https://huntr.dev/bounties/ee27e5df-516b-4cf4-9f28-346d907b5491 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2713 – Insufficient Session Expiration in cockpit-hq/cockpit
https://notcve.org/view.php?id=CVE-2022-2713
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0. Una Expiración no Suficiente de Sesión en el repositorio GitHub cockpit-hq/cockpit versiones anteriores a 2.2.0 • https://github.com/cockpit-hq/cockpit/commit/dd8d0314912fa6517ebd2cc9939d9fafbe68731b https://huntr.dev/bounties/3080fc96-75d7-4868-84de-9fc8c9b90290 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3698 – cockpit: authenticates with revoked certificates
https://notcve.org/view.php?id=CVE-2021-3698
A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en Cockpit en versiones anteriores a la 260 en la forma en que maneja la verificación de certificados llevada a cabo por el demonio de servicios de seguridad del sistema (SSSD). Este fallo permite que los certificados de clientes sean autenticados con éxito, independientemente de la configuración de la Lista de Revocación de Certificados (CRL) o del estado del certificado. • https://bugzilla.redhat.com/show_bug.cgi?id=1992149 https://access.redhat.com/security/cve/CVE-2021-3698 • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3660 – cockpit: pages vulnerable to clickjacking
https://notcve.org/view.php?id=CVE-2021-3660
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks. Cockpit (y sus plugins) no parecen protegerse contra un ataque de clickjacking. Es posible renderizar una página de un servidor de Cockpit por medio de otro sitio web, dentro de una entrada HTML (iFrame). • https://bugzilla.redhat.com/show_bug.cgi?id=1980688 https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10 https://github.com/cockpit-project/cockpit/issues/16122 https://access.redhat.com/security/cve/CVE-2021-3660 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3804 – cockpit: Crash when parsing invalid base64 headers
https://notcve.org/view.php?id=CVE-2019-3804
It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash. Se ha detectado que cockpit, en versiones anteriores a la 184, empleaba incorrectamente la funcionalidad de descodificación de base64 de glib, lo que resultaba en un ataque de denegación de servicio (DoS). Un atacante no autenticado podría enviar una petición especialmente manipulada con una cookie no válida codificada en base64, lo que podría provocar el cierre inesperado del servicio web. It was found that cockpit used glib's base64 decode functionality incorrectly resulting in a denial of service attack. • https://access.redhat.com/errata/RHSA-2019:1569 https://access.redhat.com/errata/RHSA-2019:1571 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3804 https://github.com/cockpit-project/cockpit/commit/c51f6177576d7e12 https://github.com/cockpit-project/cockpit/pull/10819 https://access.redhat.com/security/cve/CVE-2019-3804 https://bugzilla.redhat.com/show_bug.cgi?id=1663567 • CWE-909: Missing Initialization of Resource •