noVNC did not provide support for secure
cookies in an HTTPS session. This causes browsers to send session cookies in an insecure HTTP channel. An attacker who is able to intercept traffic will be able to capture cookie information and access the application on behalf of the user.
CPE | Name | Operator | Version |
---|---|---|---|
novnc | eq | 0.4__7.el6ev | |
novnc | eq | 0.3__10.el6 | |
novnc | eq | 0.4__6.el6ost | |
novnc | eq | 0.4__8.el6ost | |
novnc | eq | 0.4__2.el6 | |
novnc | eq | 0.4__7.el7ost | |
novnc | eq | 0.4__4.el6ost | |
novnc | eq | 0.4__3.el6ost | |
novnc | eq | 0.4__8.1.el6 |
rhn.redhat.com/errata/RHSA-2015-0788.html
rhn.redhat.com/errata/RHSA-2015-0833.html
rhn.redhat.com/errata/RHSA-2015-0834.html
rhn.redhat.com/errata/RHSA-2015-0884.html
www.openwall.com/lists/oss-security/2015/02/17/1
www.openwall.com/lists/oss-security/2015/03/12/13
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1193451
github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd
rhn.redhat.com/errata/RHSA-2015-0834.html