Vulnerabilities > CVE-2014-9386 - Remote Security vulnerability in Zenoss Core

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
zenoss
NVD
Published: 2014-12-15
Updated: 2016-03-21

Summary

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691. <a href="http://cwe.mitre.org/data/definitions/384.html" target="_blank">CWE-384: Session Fixation</a>

Vulnerable Configurations

Part Description Count
Application
Zenoss
17

Statements

contributorZenoss
lastmodified2016-03-21
organizationZenoss
statementAddressed in versions 5.0, 4.2.5.SP273, and 4.2.4.SP854

References