It was found that cockpit before version 184 used glibs base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.
The product does not initialize a critical resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cockpit | Cockpit-project | * | 184 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | cockpit-0:173.2-1.el7 | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | redhat-release-virtualization-host-0:4.3-0.8.el7 | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | redhat-virtualization-host-0:4.3-20190610.0.el7_6 | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | rhvm-appliance-0:4.3-20190605.0.el7 | * |
| Cockpit | Ubuntu | bionic | * |
| Cockpit | Ubuntu | cosmic | * |
| Cockpit | Ubuntu | disco | * |
| Cockpit | Ubuntu | eoan | * |
| Cockpit | Ubuntu | groovy | * |
| Cockpit | Ubuntu | hirsute | * |
| Cockpit | Ubuntu | impish | * |
| Cockpit | Ubuntu | kinetic | * |
| Cockpit | Ubuntu | upstream | * |