Description
The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/CVE-2015-8470
Scores
CVSS v3
6.5
EPSS
0.0162
EPSS Percentile
73.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
puppet/puppet_enterprise
3.7.0 - 3.7.2
Published
Dec 11, 2017
Tracked Since
Feb 18, 2026