First published: Fri Jan 04 2019(Updated: )
It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cockpit-project Cockpit | <184 | |
Fedoraproject Fedora | ||
Redhat Virtualization | =4.0 | |
redhat/cockpit | <184 | 184 |
<184 | ||
=4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3804 is a vulnerability in Cockpit that allows an unauthenticated attacker to crash the web service by sending a specially crafted request with an invalid base64-encoded cookie.
The severity of CVE-2019-3804 is high, with a CVSS score of 7.5.
An attacker can exploit CVE-2019-3804 by sending a specially crafted request with an invalid base64-encoded cookie to the affected Cockpit web service.
The affected software by CVE-2019-3804 includes Cockpit versions up to but excluding version 184, as well as the Fedora and Redhat Virtualization operating systems.
CVE-2019-3804 can be mitigated by updating Cockpit to version 184 or higher.