| Vulnerability Name: | CVE-2007-5034 (CCN-36784) | ||||||||||||||||||||||||||||
| Assigned: | 2007-02-24 | ||||||||||||||||||||||||||||
| Published: | 2007-02-24 | ||||||||||||||||||||||||||||
| Updated: | 2018-10-15 | ||||||||||||||||||||||||||||
| Summary: | ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. Note: this issue only occurs when a proxy is defined for https. | ||||||||||||||||||||||||||||
| CVSS v3 Severity: | 3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||||||||||||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N) 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
| ||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-200 | ||||||||||||||||||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||||||||||||||||||
| References: | Source: CCN Type: Elinks Bugzilla Bug 937 ELinks reveals POST data to HTTPS proxy Source: CONFIRM Type: UNKNOWN http://bugzilla.elinks.cz/show_bug.cgi?id=937 Source: MITRE Type: CNA CVE-2007-5034 Source: CCN Type: ELinks Web site ELinks - Full-Featured Text WWW Browser Source: CCN Type: RHSA-2007-0933 Moderate: elinks security update Source: SECUNIA Type: UNKNOWN 26936 Source: SECUNIA Type: UNKNOWN 26949 Source: CCN Type: SA26956 ELinks Proxy CONNECT Weakness Source: SECUNIA Type: UNKNOWN 26956 Source: SECUNIA Type: UNKNOWN 27038 Source: SECUNIA Type: UNKNOWN 27062 Source: SECUNIA Type: UNKNOWN 27125 Source: SECUNIA Type: UNKNOWN 27132 Source: CCN Type: SECTRACK ID: 1018764 ELinks May Disclose POST Request Data in Clear Text to Remote Users Source: CCN Type: ASA-2007-411 ELinks security update (RHSA-2007-0933) Source: DEBIAN Type: UNKNOWN DSA-1380 Source: DEBIAN Type: DSA-1380 elinks -- programming error Source: REDHAT Type: UNKNOWN RHSA-2007:0933 Source: BUGTRAQ Type: UNKNOWN 20071005 rPSA-2007-0209-1 elinks Source: BID Type: UNKNOWN 25799 Source: CCN Type: BID-25799 ELinks HTTPS POST Request Information Disclosure Weakness Source: SECTRACK Type: UNKNOWN 1018764 Source: CCN Type: USN-519-1 elinks vulnerability Source: UBUNTU Type: UNKNOWN USN-519-1 Source: VUPEN Type: UNKNOWN ADV-2007-3278 Source: CONFIRM Type: UNKNOWN https://bugs.launchpad.net/ubuntu/+source/elinks/+bug/141018 Source: CONFIRM Type: UNKNOWN https://bugzilla.redhat.com/show_bug.cgi?id=297981 Source: XF Type: UNKNOWN elinks-post-information-disclosure(36784) Source: OVAL Type: UNKNOWN oval:org.mitre.oval:def:10335 Source: FEDORA Type: UNKNOWN FEDORA-2007-710 Source: FEDORA Type: UNKNOWN FEDORA-2007-2224 | ||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration RedHat 1: Configuration RedHat 2: Configuration RedHat 3: Configuration RedHat 4: Configuration RedHat 5: Configuration RedHat 6: Configuration RedHat 7: Configuration RedHat 8: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||