| Vulnerability Name: | CVE-2008-6722 (CCN-46353) | ||||||||
| Assigned: | 2008-11-04 | ||||||||
| Published: | 2008-11-04 | ||||||||
| Updated: | 2009-04-29 | ||||||||
| Summary: | Novell Access Manager 3 SP4 does not properly expire X.509 certificate sessions, which allows physically proximate attackers to obtain a logged-in session by using a victim's web-browser process that continues to send the original and valid SSL sessionID, related to inability of Apache Tomcat to clear entries from its SSL cache. | ||||||||
| CVSS v3 Severity: | 2.2 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.5 Low (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UR)
1.2 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:S/C:N/I:P/A:N/E:U/RL:U/RC:UR)
| ||||||||
| Vulnerability Type: | CWE-200 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2008-6722 Source: OSVDB Type: UNKNOWN 49737 Source: CCN Type: SA32554 Novell Access Manger Identity Server X509 Session Improper Termination Source: SECUNIA Type: Vendor Advisory 32554 Source: CCN Type: Novell Security Alert Document ID: 7001788 Security Vulnerability: Logged out users authenticated with X509 certificates can log back in without resending personal certificates using the same browser window Source: CONFIRM Type: UNKNOWN http://www.novell.com/support/viewContent.do?externalId=7001788 Source: CCN Type: OSVDB ID: 49737 Novell Access Manger Identity Server X509 Session Termination Failure Source: BID Type: UNKNOWN 32121 Source: CCN Type: BID-32121 Novell Access Manager Local Browser Security Bypass Vulnerability Source: VUPEN Type: Vendor Advisory ADV-2008-3012 Source: XF Type: UNKNOWN novell-amis-x509-security-bypass(46353) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||