Cookie Security Flaw in NetApp OnCommand Unified Manager for Clustered Data ONTAP
CVE-2017-14053

7.5HIGH

Key Information:

Vendor: Netapp
Status: Oncommand Unified Manager For Clustered Data Ontap
Vendor: CVE Published:; 1 September 2017

Summary

The NetApp OnCommand Unified Manager for Clustered Data ONTAP before version 7.2P1 fails to set the secure flag for a specific cookie used in HTTPS sessions. This oversight allows remote attackers to capture the cookie unencrypted by intercepting its transmission during HTTP sessions, potentially compromising sensitive session information. Affected users should upgrade to the latest version to mitigate this risk.

References

https://kb.netapp.com/support/s/article/NTAP-20170831-0001

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 1, 2017
Vulnerability Reserved
Aug 31, 2017