Vulnerability Description
The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Keplerproject | Cgilua | >= 5.0.0, <= 5.0.1 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2014/Apr/318Mailing ListThird Party Advisory
- http://www.securityfocus.com/archive/1/531981/100/0/threadedThird Party AdvisoryVDB Entry
- http://www.syhunt.com/en/index.php?n=Advisories.Cgilua-weaksessionidThird Party Advisory
- http://seclists.org/fulldisclosure/2014/Apr/318Mailing ListThird Party Advisory
- http://www.securityfocus.com/archive/1/531981/100/0/threadedThird Party AdvisoryVDB Entry
- http://www.syhunt.com/en/index.php?n=Advisories.Cgilua-weaksessionidThird Party Advisory
FAQ
What is CVE-2014-10400?
CVE-2014-10400 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SP...
How severe is CVE-2014-10400?
CVE-2014-10400 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-10400?
Check the references section above for vendor advisories and patch information. Affected products include: Keplerproject Cgilua.