CVE-2008-3102
First published: Wed Sep 24 2008(Updated: )
Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CentOS Libreport-plugin-mantisbt | =1.2.0a1 | |
| CentOS Libreport-plugin-mantisbt | =1.2.0a2 | |
| CentOS Libreport-plugin-mantisbt | =1.1.0 | |
| CentOS Libreport-plugin-mantisbt | =1.1.2 | |
| CentOS Libreport-plugin-mantisbt | =1.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://int21.de/cve/CVE-2008-3102-mantis.html
- http://www.gentoo.org/security/en/glsa/glsa-200812-07.xml
- http://secunia.com/advisories/32975
- http://securityreason.com/securityalert/4298
- http://secunia.com/advisories/32243
- https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00648.html
- http://secunia.com/advisories/32330
- https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00504.html
- http://www.securityfocus.com/bid/31344
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45395
- http://www.securityfocus.com/archive/1/496684/100/0/threaded
- http://www.securityfocus.com/archive/1/496625/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2008-3102?
CVE-2008-3102 is classified as a medium severity vulnerability due to potential exposure of session cookies.
How do I fix CVE-2008-3102?
To fix CVE-2008-3102, ensure that the secure flag is set for session cookies in Mantis versions affected by this vulnerability.
Which versions of Mantis are affected by CVE-2008-3102?
CVE-2008-3102 affects MantisBT versions 1.1.0 through 1.1.2 and 1.2.0a2.
What are the risks associated with CVE-2008-3102?
The risks associated with CVE-2008-3102 include the potential for remote attackers to capture session cookies, leading to session hijacking.
Can CVE-2008-3102 affect both http and https sessions?
Yes, CVE-2008-3102 can affect both http and https sessions because cookies may be sent over insecure connections.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/mantisbt
- canonical/centos libreport-plugin-mantisbt
- version/centos libreport-plugin-mantisbt/1.2.0a1
- version/centos libreport-plugin-mantisbt/1.2.0a2
- version/centos libreport-plugin-mantisbt/1.1.0
- version/centos libreport-plugin-mantisbt/1.1.2
- version/centos libreport-plugin-mantisbt/1.1.1