CVE-2014-9386

EUVD-2014-9208
Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Affected Products (NVD)
VendorProductVersion
zenosszenoss_core
𝑥
≤ 4.2.5
zenosszenoss_core
2.4.0
zenosszenoss_core
2.4.5
zenosszenoss_core
2.5.0
zenosszenoss_core
2.5.1
zenosszenoss_core
2.5.2
zenosszenoss_core
3.0.0
zenosszenoss_core
3.0.1
zenosszenoss_core
3.0.2
zenosszenoss_core
3.0.3
zenosszenoss_core
3.1.0
zenosszenoss_core
3.2.0
zenosszenoss_core
3.2.1
zenosszenoss_core
4.2.0
zenosszenoss_core
4.2.3
zenosszenoss_core
4.2.4
𝑥
= Vulnerable software versions
References
http://www.kb.cert.org/vuls/id/449452
https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing
http://www.kb.cert.org/vuls/id/449452
https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing