Miggo Logo

CVE-2015-3207: Insecure cookies in Openshift Origin

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.4706%
Published
7/8/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/openshift/origingo< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from cookies being set without Secure/HttpOnly attributes. Analysis focused on console authentication and session management functions where cookies are created and set. The most likely candidates are HTTP handler functions in the console server and authentication components that directly manipulate Set-Cookie headers. While exact patch diffs aren't available, the CWE-614 description and OpenShift's architecture suggest these functions would be modified to add the missing security attributes in the patched version.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Op*ns*i*t Ori*in t** *ooki*s **in* s*t in *onsol* **v* no 's**ur*', '*ttpOnly' *ttri*ut*s.

Reasoning

T** vuln*r**ility st*ms *rom *ooki*s **in* s*t wit*out S**ur*/*ttpOnly *ttri*ut*s. *n*lysis *o*us** on *onsol* *ut**nti**tion *n* s*ssion m*n***m*nt *un*tions w**r* *ooki*s *r* *r**t** *n* s*t. T** most lik*ly **n*i**t*s *r* `*TTP` **n*l*r *un*tions