Vulnerability Description
It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cockpit-Project | Cockpit | < 184 |
| Fedoraproject | Fedora | - |
| Redhat | Virtualization | 4.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:1569Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1571Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3804Issue TrackingPatchThird Party Advisory
- https://github.com/cockpit-project/cockpit/commit/c51f6177576d7e12PatchThird Party Advisory
- https://github.com/cockpit-project/cockpit/pull/10819Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1569Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1571Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3804Issue TrackingPatchThird Party Advisory
- https://github.com/cockpit-project/cockpit/commit/c51f6177576d7e12PatchThird Party Advisory
- https://github.com/cockpit-project/cockpit/pull/10819Third Party Advisory
FAQ
What is CVE-2019-3804?
CVE-2019-3804 is a vulnerability with a CVSS score of 7.5 (HIGH). It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted req...
How severe is CVE-2019-3804?
CVE-2019-3804 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3804?
Check the references section above for vendor advisories and patch information. Affected products include: Cockpit-Project Cockpit, Fedoraproject Fedora, Redhat Virtualization.