Overview

CVE-2013-4762 (Logout Link Did Not Destroy Server Session)

  • Posted August 15, 2013

  • Assessed Risk Level: Low

When a user clicked the logout link, the Puppet Enterprise generated and set a new puppet_enterprise_console cookie value. However, it did not invalidate the old session. This made it possible for an attacker to potentially hijack a user’s session using a stolen session ID value, even after the user had already logged out of the application. An attacker could use this hijacked session to impersonate a user and gain access to the user’s account information. In the case at hand, an attacker could use a compromised session ID even after the user had already clicked on the logout button.

Status

  • Affected Versions: Puppet Enterprise 2.x, 3.0.0
  • Resolved in Puppet Enterprise 3.0.1