{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-09T00:00:00", "descriptions": [{"lang": "en", "value": "Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-07-11T13:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2014:0858", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0858.html"}, {"name": "RHSA-2014:0859", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0859.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:05:39.195Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2014:0858", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0858.html"}, {"name": "RHSA-2014:0859", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0859.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-0174", "datePublished": "2014-07-11T14:00:00", "dateReserved": "2013-12-03T00:00:00", "dateUpdated": "2024-08-06T09:05:39.195Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_mrg:2.5:*:*:*:*:*:*:*", "matchCriteriaId": "8082D9CA-E5CC-4B92-9F45-E257F246069F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie."}, {"lang": "es", "value": "Cumin (tambi\u00e9n conocido como MRG Management Console), utilizado en Red Hat Enterprise MRG 2.5, no incluye el indicador HTTPOnly en una cabecera Set-Cookie para la cookie de la sesi\u00f3n, lo que facilita a atacantes remotos obtener informaci\u00f3n potencialmente sensible a trav\u00e9s del acceso de secuencias de comandos a esta cookie."}], "id": "CVE-2014-0174", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-11T14:55:03.617", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0858.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0859.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0858.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0859.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Stanislav Graf (Red Hat).", "affected_release": [{"advisory": "RHSA-2014:0859", "cpe": "cpe:/a:redhat:enterprise_mrg:2::el5", "package": "cumin-0:0.1.5796-4.el5_9", "product_name": "MRG for RHEL-5 v. 2", "release_date": "2014-07-09T00:00:00Z"}, {"advisory": "RHSA-2014:0858", "cpe": "cpe:/a:redhat:enterprise_mrg:2:server:el6", "package": "cumin-0:0.1.5797-3.el6", "product_name": "Red Hat Enterprise MRG 2", "release_date": "2014-07-09T00:00:00Z"}], "bugzilla": {"description": "cumin: session cookies lack httponly setting", "id": "1086000", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1086000"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "details": ["Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.", "It was found that Cumin did not set the HttpOnly flag on session cookies. This could allow a malicious script to access the session cookie."], "name": "CVE-2014-0174", "public_date": "2014-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-0174\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0174"], "threat_severity": "Moderate"}