CVE-2015-8470

MEDIUM

Puppet Enterprise <3.7.x-2015.2.x - Info Disclosure

Title source: llm
STIX 2.1

Description

The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/CVE-2015-8470

Scores

CVSS v3 6.5
EPSS 0.0162
EPSS Percentile 73.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
puppet/puppet_enterprise 3.7.0 - 3.7.2
Published Dec 11, 2017
Tracked Since Feb 18, 2026