CVE-2019-3804
HIGHcockpit < 184 - Unauthenticated Denial of Service via Invalid Base64-Encoded Cookie
Title source: llmDescription
It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.
References (5)
Core 5
Core References
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1569
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1571
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3804
Patch, Third Party Advisory
https://github.com/cockpit-project/cockpit/commit/c51f6177576d7e12
Third Party Advisory
https://github.com/cockpit-project/cockpit/pull/10819
Scores
CVSS v3
7.5
EPSS
0.0486
EPSS Percentile
90.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-909
Status
published
Products (3)
cockpit-project/cockpit
< 184
fedoraproject/fedora
redhat/virtualization
4.0
Published
Mar 26, 2019
Tracked Since
Feb 18, 2026