{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-03-13T00:00:00", "descriptions": [{"lang": "en", "value": "mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-14T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/UNINETT/mod_auth_mellon/releases/tag/v0.13.1"}, {"name": "96843", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96843"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://sympa.uninett.no/lists/uninett.no/arc/modmellon/2017-03/msg00008.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-6807", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/UNINETT/mod_auth_mellon/releases/tag/v0.13.1", "refsource": "CONFIRM", "url": "https://github.com/UNINETT/mod_auth_mellon/releases/tag/v0.13.1"}, {"name": "96843", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96843"}, {"name": "https://sympa.uninett.no/lists/uninett.no/arc/modmellon/2017-03/msg00008.html", "refsource": "CONFIRM", "url": "https://sympa.uninett.no/lists/uninett.no/arc/modmellon/2017-03/msg00008.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:41:17.546Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/UNINETT/mod_auth_mellon/releases/tag/v0.13.1"}, {"name": "96843", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96843"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://sympa.uninett.no/lists/uninett.no/arc/modmellon/2017-03/msg00008.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-6807", "datePublished": "2017-03-13T14:00:00", "dateReserved": "2017-03-10T00:00:00", "dateUpdated": "2024-08-05T15:41:17.546Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uninett:mod_auth_mellon:*:*:*:*:*:*:*:*", "matchCriteriaId": "1628B928-2343-4CE6-8DF8-1DAD5DD7DF8D", "versionEndIncluding": "0.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site."}, {"lang": "es", "value": "mod_auth_mellon en versiones anteriores a 0.13.1 es vulnerable a un ataque de Transferencia de Sesi\u00f3n en Sitios Cruzados, donde un usuario con acceso a un sitio web ejecut\u00e1ndose en un servidor puede copiar su cookie de sesi\u00f3n a un sitio web diferente en el mismo servidor para obtener acceso a dicho sitio."}], "id": "CVE-2017-6807", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-13T14:59:00.177", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/96843"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/UNINETT/mod_auth_mellon/releases/tag/v0.13.1"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://sympa.uninett.no/lists/uninett.no/arc/modmellon/2017-03/msg00008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/96843"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/UNINETT/mod_auth_mellon/releases/tag/v0.13.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://sympa.uninett.no/lists/uninett.no/arc/modmellon/2017-03/msg00008.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mod_auth_mellon: Cross-site session transfer vulnerability", "id": "1431670", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431670"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "details": ["mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site.", "It was found that mod_auth_mellon was vulnerable to a cross-site session transfer attack. An attacker with access to one web site on a server could use the same session to get access to a different site running on the same server."], "name": "CVE-2017-6807", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "mod_auth_mellon", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "mod_auth_mellon", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2017-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-6807\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-6807"], "statement": "Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.", "threat_severity": "Moderate"}