CVE-2014-10399

NameCVE-2014-10399
DescriptionThe session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lua-cgi (PTS)jessie, buster, stretch5.2~alpha2-1fixed
bullseye5.2~alpha2-1.1fixed
sid, trixie, bookworm5.2~alpha2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lua-cgisourcewheezy(unfixed)end-of-life
lua-cgisource(unstable)(not affected)

Notes

- lua-cgi <not-affected> (session generation changed in 5.2.x, cf. CVE-2014-2875)
https://seclists.org/fulldisclosure/2014/Apr/318

Search for package or bug name: Reporting problems