CVE-2015-1848

Published: May 14, 2015Modified: May 6, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag.

Affected (9)

Products: Fedora: Pacemaker Configuration System · Redhat: Enterprise Linux High Availability, Enterprise Linux High Availability Eus, Enterprise Linux Resilient Storage, Enterprise Linux Resilient Storage Eus

Fedora

1 product

Pacemaker Configuration System

Redhat

4 products

Enterprise Linux High Availability

Enterprise Linux High Availability Eus

Enterprise Linux Resilient Storage

Enterprise Linux Resilient Storage Eus

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Fedora Pacemaker Configuration System	Up to 0.9.137

Configuration B

8 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux High Availability	Version 6.0
Redhat Enterprise Linux High Availability	Version 7.0
Redhat Enterprise Linux High Availability Eus	Version 6.6.z
Redhat Enterprise Linux High Availability Eus	Version 7.1
Redhat Enterprise Linux Resilient Storage	Version 6.0
Redhat Enterprise Linux Resilient Storage	Version 7.0
Redhat Enterprise Linux Resilient Storage Eus	Version 6.6.z
Redhat Enterprise Linux Resilient Storage Eus	Version 7.1