CVE-2014-9386

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
zenosszenoss_core
𝑥
≤ 4.2.5
zenosszenoss_core
2.4.0
zenosszenoss_core
2.4.5
zenosszenoss_core
2.5.0
zenosszenoss_core
2.5.1
zenosszenoss_core
2.5.2
zenosszenoss_core
3.0.0
zenosszenoss_core
3.0.1
zenosszenoss_core
3.0.2
zenosszenoss_core
3.0.3
zenosszenoss_core
3.1.0
zenosszenoss_core
3.2.0
zenosszenoss_core
3.2.1
zenosszenoss_core
4.2.0
zenosszenoss_core
4.2.3
zenosszenoss_core
4.2.4
𝑥
= Vulnerable software versions
References
http://www.kb.cert.org/vuls/id/449452
https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing
http://www.kb.cert.org/vuls/id/449452
https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing