SSL Cookie Without Secure Flag

2019-01-1509:05:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.026 Low

EPSS

Percentile

90.3%

JSON

pcs is vulnerable to SSL cookie without secure flag. The vulnerability exists as the pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag.

CPENameOperatorVersion
pcseq0.9.90__2.el6_5.2
pcseq0.9.90__1.el6_4
pcseq0.9.26__10.el6
pcseq0.9.26__10.el6_4.1
pcseq0.9.90__2.el6
pcseq0.9.90__2.el6_5.3
pcseq0.9.90__2.el6_5.2
pcseq0.9.90__1.el6_4
pcseq0.9.26__10.el6
pcseq0.9.26__10.el6_4.1

Name	Operator	Version
pcs	eq	0.9.90__2.el6_5.2
pcs	eq	0.9.90__1.el6_4
pcs	eq	0.9.26__10.el6
pcs	eq	0.9.26__10.el6_4.1
pcs	eq	0.9.90__2.el6
pcs	eq	0.9.90__2.el6_5.3
pcs	eq	0.9.90__2.el6_5.2
pcs	eq	0.9.90__1.el6_4
pcs	eq	0.9.26__10.el6
pcs	eq	0.9.26__10.el6_4.1