CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0174 – cumin: session cookies lack httponly setting
https://notcve.org/view.php?id=CVE-2014-0174
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. Cumin (también conocido como MRG Management Console), utilizado en Red Hat Enterprise MRG 2.5, no incluye el indicador HTTPOnly en una cabecera Set-Cookie para la cookie de la sesión, lo que facilita a atacantes remotos obtener información potencialmente sensible a través del acceso de secuencias de comandos a esta cookie. It was found that Cumin did not set the HttpOnly flag on session cookies. This could allow a malicious script to access the session cookie. • http://rhn.redhat.com/errata/RHSA-2014-0858.html http://rhn.redhat.com/errata/RHSA-2014-0859.html https://access.redhat.com/security/cve/CVE-2014-0174 https://bugzilla.redhat.com/show_bug.cgi?id=1086000 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.7EPSS: 0%CPEs: 18EXPL: 0CVE-2014-3917 – kernel: DoS with syscall auditing
https://notcve.org/view.php?id=CVE-2014-3917
kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. kernel/auditsc.c en el kernel de Linux hasta 3.14.5, cuando CONFIG_AUDITSYSCALL está habilitado con ciertas normas syscall, permite a usuarios locales obtener valores de un único bit potencialmente sensibles de la memoria del kernel o causar una denegación de servicio (OOPS) a través de un valor grande de un número syscall. An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system. • http://article.gmane.org/gmane.linux.kernel/1713179 http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://rhn.redhat.com/errata/RHSA-2014-1143.html http://rhn.redhat.com/errata/RHSA-2014-1281.html http://secunia.com/advisories/59777 http://secunia.com/advisories/60011 http://secunia.com/advisories/60564 http://www.openwall.com/lists/oss-security/2014/05/29/5 http://www.ubuntu.com/usn/USN-2334-1 http://www.ubuntu.com/usn/USN-2335-1& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.7EPSS: 0%CPEs: 16EXPL: 0CVE-2014-3940 – Kernel: missing check during hugepage migration
https://notcve.org/view.php?id=CVE-2014-3940
The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing certain memory locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage migration, related to fs/proc/task_mmu.c and mm/mempolicy.c. El kernel de Linux hasta 3.14.5 no considera debidamente la presencia de entradas hugetlb, lo que permite a usuarios locales causar una denegación de servicio (corrupción de memoria o caída de sistema) mediante el acceso a ciertas localizaciones de memoria, tal y como fue demostrado mediante el aprovechamiento de una condición de carrera a través de operaciones de lectura numa_maps durante la migración a hugepage, relacionado con fs/proc/task_mmu.c y mm/mempolicy.c. A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. • http://rhn.redhat.com/errata/RHSA-2015-0290.html http://rhn.redhat.com/errata/RHSA-2015-1272.html http://secunia.com/advisories/59011 http://secunia.com/advisories/61310 http://www.openwall.com/lists/oss-security/2014/06/02/5 http://www.securityfocus.com/bid/67786 https://bugzilla.redhat.com/show_bug.cgi?id=1104097 https://lkml.org/lkml/2014/3/18/784 https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15685.html https://access.redhat.com/se • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2013-6445 – cumin: weak password hashing
https://notcve.org/view.php?id=CVE-2013-6445
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, uses the DES-based crypt function to hash passwords, which makes it easier for attackers to obtain sensitive information via a brute-force attack. Cumin (también conocido como MRG Management Console), utilizado en Red Hat Enterprise MRG 2.5, utiliza la función crypt basada en DES para crear hashes de contraseñas, lo que facilita a atacantes obtener información sensible a través de un ataque de fuerza bruta. • http://rhn.redhat.com/errata/RHSA-2014-0440.html http://rhn.redhat.com/errata/RHSA-2014-0441.html http://www.securitytracker.com/id/1030158 https://access.redhat.com/security/cve/CVE-2013-6445 https://bugzilla.redhat.com/show_bug.cgi?id=1044315 • CWE-310: Cryptographic Issues •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4405 – cumin: CSRF protection does not work
https://notcve.org/view.php?id=CVE-2013-4405
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allow remote attackers to hijack the authentication of cumin users for unspecified requests. Múltiples vulnerabilidades cross-site request forgery (CSRF) en la interfaz web de cumin en Red Hat Enterprise MRG Grid 2.4 permite a atacantes remotos secuestrar la autenticación de usuarios cumin en peticiones no especificadas. • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=998561 http://rhn.redhat.com/errata/RHSA-2013-1851.html http://rhn.redhat.com/errata/RHSA-2013-1852.html https://access.redhat.com/security/cve/CVE-2013-4405 https://bugzilla.redhat.com/show_bug.cgi?id=998561 • CWE-352: Cross-Site Request Forgery (CSRF) •