CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3698 – cockpit: authenticates with revoked certificates
https://notcve.org/view.php?id=CVE-2021-3698
08 Mar 2022 — A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en Cockpit en versiones anteriores a la 260 en la forma en que maneja la verificación de certificad... • https://bugzilla.redhat.com/show_bug.cgi?id=1992149 • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3660 – cockpit: pages vulnerable to clickjacking
https://notcve.org/view.php?id=CVE-2021-3660
07 Mar 2022 — Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks. Cockpit (y sus plugins) no parecen protegerse contra un ataque de clickjacking. Es posible renderizar una página de un servidor de Cockpit por medio de otro sitio web, dentro de una entrada HTML (iFrame). • https://bugzilla.redhat.com/show_bug.cgi?id=1980688 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2020-35850
https://notcve.org/view.php?id=CVE-2020-35850
30 Dec 2020 — An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue. ** EN DISPUTA ** Se detectó un problema de tipo SSRF en cockpit-project.org Cockpit versión 234. NOTA: esto no está relacionado con el producto Agentejo Cockpit. NOTA: el proveedor declara "I don't think (it) is a big real-life issue" • https://github.com/cockpit-project/cockpit/issues/15077 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 4%CPEs: 3EXPL: 0CVE-2019-3804 – cockpit: Crash when parsing invalid base64 headers
https://notcve.org/view.php?id=CVE-2019-3804
13 Mar 2019 — It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash. Se ha detectado que cockpit, en versiones anteriores a la 184, empleaba incorrectamente la funcionalidad de descodificación de base64 de glib, lo que resultaba en un ataque de denegación de servicio (DoS). Un atacante no aute... • https://access.redhat.com/errata/RHSA-2019:1569 • CWE-909: Missing Initialization of Resource •