[Japanese]

JVNDB-2004-000588

SSL-VPN products vulnerable to cookie theft

Overview

When using an SSL-VPN product, if a user selects a mode in which the user can log in with the username and password without using the SSL client authentication, a session hijacking could be conducted.
CVSS Severity (What is CVSS?)

Base Metrics: 2.1 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products


Yokogawa Electric Corporation
  • SecureTicket before ver.4.0.b

Impact

An attacker may be able to intercept a session ID stored in a cookie and hijack a login user's session.
Solution

Vendor Information

Yokogawa Electric Corporation
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2004-0462
References

  1. JVN : JVN#67B82FA3
  2. National Vulnerability Database (NVD) : CVE-2004-0462
  3. US-CERT Vulnerability Note : VU#546483
  4. ISS X-Force Database : 17702
Revision History

[2008/05/21]
  Web page published