{"containers": {"cna": {"affected": [{"product": "Red Hat Gluster Storage", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "3.4.0"}]}], "datePublic": "2018-05-08T00:00:00", "descriptions": [{"lang": "en", "value": "Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "CWE-613", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-09-12T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2018:2616", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2616"}, {"name": "1041597", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041597"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Tendrl/api/pull/422"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1127"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-1127", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Red Hat Gluster Storage", "version": {"version_data": [{"version_value": "3.4.0"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user."}]}, "impact": {"cvss": [[{"vectorString": "4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-613"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:2616", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2616"}, {"name": "1041597", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041597"}, {"name": "https://github.com/Tendrl/api/pull/422", "refsource": "CONFIRM", "url": "https://github.com/Tendrl/api/pull/422"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1127", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1127"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:48.782Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:2616", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2616"}, {"name": "1041597", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1041597"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Tendrl/api/pull/422"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1127"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-1127", "datePublished": "2018-09-11T15:00:00", "dateReserved": "2017-12-04T00:00:00", "dateUpdated": "2024-08-05T03:51:48.782Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:gluster_storage:*:*:*:*:*:*:*:*", "matchCriteriaId": "E591E3BF-E10E-4502-9E50-58316A6588C3", "versionEndExcluding": "3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user."}, {"lang": "es", "value": "Tendrl API en Red Hat Gluster Storage en versiones anteriores a la 3.4.0 no elimina inmediatamente los tokens de sesi\u00f3n una vez el usuario ha cerrado sesi\u00f3n. Los tokens de sesi\u00f3n siguen activos durante unos pocos minutos, lo que permite que los atacantes reproduzcan los tokens adquiridos mediante ataques de rastreo o Man-in-the-Middle (MitM) y autentic\u00e1ndose como el usuario objetivo."}], "id": "CVE-2018-1127", "lastModified": "2019-10-09T23:38:10.177", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-09-11T15:29:00.593", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041597"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2616"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1127"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Tendrl/api/pull/422"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-613"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Filip Bal\u00e1k (Red Hat).", "affected_release": [{"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "python-flask-1:0.10.1-5.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "python-itsdangerous-0:0.23-2.el7", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "tendrl-ansible-0:1.6.3-7.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "tendrl-api-0:1.6.3-5.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "tendrl-commons-0:1.6.3-12.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "tendrl-gluster-integration-0:1.6.3-10.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "tendrl-monitoring-integration-0:1.6.3-11.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "tendrl-node-agent-0:1.6.3-10.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "tendrl-notifier-0:1.6.3-4.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}, {"advisory": "RHSA-2018:2616", "cpe": "cpe:/a:redhat:storage:3.4:na:el7", "package": "tendrl-ui-0:1.6.3-11.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-05T00:00:00Z"}], "bugzilla": {"description": "tendrl-api: Improper cleanup of session token can allow attackers to hijack user sessions", "id": "1575835", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1575835"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-613", "details": ["Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user."], "name": "CVE-2018-1127", "public_date": "2018-05-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1127\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1127"], "threat_severity": "Low", "upstream_fix": "rhes 3.4.0"}