{
  "threat_severity" : "Low",
  "public_date" : "2013-01-07T00:00:00Z",
  "bugzilla" : {
    "description" : "conga: insecure handling of luci web interface sessions",
    "id" : "607179",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=607179"
  },
  "cvss" : {
    "cvss_base_score" : "3.7",
    "cvss_scoring_vector" : "AV:L/AC:H/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "details" : [ "Luci in Red Hat Conga stores the user's username and password in a Base64 encoded string in the __ac session cookie, which allows attackers to gain privileges by accessing this cookie.  NOTE: this issue has been SPLIT due to different vulnerability types. Use CVE-2013-7347 for the incorrect enforcement of a user timeout.", "It was discovered that luci stored usernames and passwords in session cookies. This issue prevented the session inactivity timeout feature from working correctly, and allowed attackers able to get access to a session cookie to obtain the victim's authentication credentials." ],
  "acknowledgement" : "Red Hat would like to thank George Hedfors (Cybercom Sweden East AB) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2013-01-08T00:00:00Z",
    "advisory" : "RHSA-2013:0128",
    "cpe" : "cpe:/a:redhat:rhel_cluster:5",
    "package" : "conga-0:0.12.2-64.el5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Affected",
    "package_name" : "conga",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2012-3359\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-3359" ],
  "name" : "CVE-2012-3359",
  "csaw" : false
}