CVE-2015-3207: Insecure cookies in Openshift Origin
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4706%
CWE
Published
7/8/2022
Updated
1/27/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/openshift/origin | go | < 1.0.0 | 1.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from cookies being set without Secure/HttpOnly attributes. Analysis focused on console authentication and session management functions where cookies are created and set. The most likely candidates are HTTP
handler functions in the console server and authentication components that directly manipulate Set-Cookie
headers. While exact patch diffs aren't available, the CWE-614
description and OpenShift
's architecture suggest these functions would be modified to add the missing security attributes in the patched version.