CVE-2015-8470 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2015-8470 Interim 1 25 2025-04-24T23:22:04Z current 2021-05-30T13:35:28Z 2025-04-24T23:22:04Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2015-8470 The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Server 11 SP1 for Teradata SUSE Linux Enterprise Server 11 SP3 LTSS SUSE Linux Enterprise Server 11 SP3 for Teradata SUSE Linux Enterprise Server 11 SP4-LTSS SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 puppet puppet-server puppet as a component of SUSE Linux Enterprise Desktop 12 SP2 puppet as a component of SUSE Linux Enterprise Desktop 12 SP3 puppet as a component of SUSE Linux Enterprise Module for Advanced Systems Management 12 puppet-server as a component of SUSE Linux Enterprise Module for Advanced Systems Management 12 puppet as a component of SUSE Linux Enterprise Server 11 SP1 for Teradata puppet as a component of SUSE Linux Enterprise Server 11 SP3 LTSS puppet as a component of SUSE Linux Enterprise Server 11 SP3 for Teradata puppet as a component of SUSE Linux Enterprise Server 11 SP4-LTSS puppet-server as a component of SUSE Linux Enterprise Server 11 SP4-LTSS The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. CVE-2015-8470 SUSE Linux Enterprise Desktop 12 SP2:puppet SUSE Linux Enterprise Desktop 12 SP3:puppet SUSE Linux Enterprise Module for Advanced Systems Management 12:puppet SUSE Linux Enterprise Module for Advanced Systems Management 12:puppet-server SUSE Linux Enterprise Server 11 SP1 for Teradata:puppet SUSE Linux Enterprise Server 11 SP3 LTSS:puppet SUSE Linux Enterprise Server 11 SP3 for Teradata:puppet SUSE Linux Enterprise Server 11 SP4-LTSS:puppet SUSE Linux Enterprise Server 11 SP4-LTSS:puppet-server moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N