Task #11716
closedTask #11711: Security Vulnerability Scan 2023-05-18
Fix security issues in inventory.ase.cit.tum.de
0%
Description
{code:java}
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443¶
- 6.4 - Missing Secure Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - a66478df-1823-452e-8f8f-eb9db82388d0 - 1.3.6.1.4.1.25623.1.0.902661
summary: The remote HTTP web server / application is missing to set the
'Secure' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6Ik82ckc3TmxKamt3UmpwWFMwb1ZvbXc9PSIsInZhbHVlIjoiRzFKRi9OdkhhYTFwbHZ5ZTJsKy9Bem9KcmFUdmxsenk1QUFSeG5BdGVNWGVJR2NxdTFsbVdyNlZoYjBuVUM4SkF3K3R0Mlk0ek1Xb0c0K0J3TlpkcXRDU1J0NC9GVGFPMllvajduQjVpVzhMMGxxcnRQUmJhdFBHaHJIV3o1UFAiLCJtYWMiOiIzMDY4OTQ2YjZhYjBjZmJhOTIxYjA3MjAwNjk1YWU3NGM5N2UyZjE4MDhkYzBmNjQ3Mzg4ZTdkNjMyMGZkYjY5IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=replaced; path=/
Set-Cookie: snipeit_session=MGGqE9fwjHRF7EzjrDTWiDr2yy0klyPX6JyTS6N8; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=replaced; path=/; httponly
are missing the "Secure" cookie attribute.
impact:
solution: Mitigation: Set the 'Secure' cookie attribute for any cookies that are sent
over a SSL/TLS connection.
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443¶
- 6.4 - Missing Secure Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - ecd99ac4-5bcf-498e-bc6f-9344aa6d6443 - 1.3.6.1.4.1.25623.1.0.902661
summary: The remote HTTP web server / application is missing to set the
'Secure' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6IjlhaXRyZ3VQOExZaWZFMVlFSGZUdXc9PSIsInZhbHVlIjoiQzVSTm54dU5jS21kQzFKMjkrNE5KQmozU0NBc29FTFprd2luSUF2aUFyQkxFbWpkRVd1VTdGOG9IOHNvN3E3dENUMjVUYUk3NUt3TmhYOGNaT0tGUXVQNHdEZUlSWnBoWEF4Q3QzaENPOWxzYS96TnRxdTJsNFoxeUZNYzgxVVUiLCJtYWMiOiJiY2M0NTY1ZjU1OTBjYzVlZTQ1ZGIwMzY5MDRiNDMwMWU4NWI5YjA0ZDEwODU3NzU0MTFiNmUyZDNiNjEyNDViIiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:14 GMT; Max-Age=replaced; path=/
Set-Cookie: snipeit_session=BoeqCHFebv9zHbI91rwCuOGBe0as2VGi9rB4WcnC; expires=Tue, 23-May-2023 22:23:14 GMT; Max-Age=replaced; path=/; httponly
are missing the "Secure" cookie attribute.
impact:
solution: Mitigation: Set the 'Secure' cookie attribute for any cookies that are sent
over a SSL/TLS connection.
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443¶
- 6.4 - Missing Secure Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - ee62e447-0959-4d5a-8417-a5466c00a4f8 - 1.3.6.1.4.1.25623.1.0.902661
summary: The remote HTTP web server / application is missing to set the
'Secure' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRJNWl0SzBMQkhHa2lNaVU1MG5BR1E9PSIsInZhbHVlIjoibHFOeEwxVElyZFZXek9DejkrU1lHeTk3eHhJV2UvWG5xM1hzZzBKalhnbE0xbW14V2VSL2M3Qm93amFBUWpOd21MUXNWd3Jiajlmam1LcWppT2I0Z3VEb0NObFJjSHZBS2UvTmRuOWQ5RXU3UW5OdldxZTBLSVpMUmFINU9YMFoiLCJtYWMiOiI4ZTQ4ZTQ5MDZhNGQwOTQwNmJhNTcyYTE1YTNkYzdjMzE4NjJjYzQ3OThkNWNjNmE3MmI4YmY2OTUyZDg2MWU1IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=replaced; path=/
Set-Cookie: snipeit_session=GM0pUqhWsksS758LI9mNCs1rOCsT5MSJ2dehKUlr; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=replaced; path=/; httponly
are missing the "Secure" cookie attribute.
impact:
solution: Mitigation: Set the 'Secure' cookie attribute for any cookies that are sent
over a SSL/TLS connection.
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 80¶
- 5.0 - Missing HttpOnly Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - 5c2bdb62-acc8-4bda-b205-2b80ab865555 - 1.3.6.1.4.1.25623.1.0.105925
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6IlhmQ1YyVkZWRTRqdlA5eURyWU95ZWc9PSIsInZhbHVlIjoicTBxeFA0UHVCakYyMFo0cjl5bVBjWkw5dEFpaG1ZK0gxYTFGWnBvc3R1U2kzYVdHU2JranQvY3NQNkJjYjJ6dUVpRnZ1MlRWd2p2cGUwUDZIMlE1eXJZcEk4UXpKazNkRzFLSWZOVi9sait5SGVBNFlyVWc2WWsvZUVCa3FKSWwiLCJtYWMiOiI2ZmVmOTI2NTEzMTBlNzJiNmY1MjViZGFjMTEzOWQ4ZDdhMzA4ODkzY2QzZjRiMmRlMTk5NDU1YTQ0ZjI4NTA4IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:15 GMT; Max-Age=replaced; path=/
are missing the "HttpOnly" attribute.
impact:
solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 80¶
- 5.0 - Missing HttpOnly Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - 2e6f53d3-b26a-4bd0-8b19-8c0768e50042 - 1.3.6.1.4.1.25623.1.0.105925
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6IkhScFhWbE9scjhvNkhGNy9Eb3dKamc9PSIsInZhbHVlIjoiSTFaRzhiak5yQjlZTE1MU2JidVpsRWJueHAvUlBRbTRmK2RnV2RKMUF3UnhwcFc0YkZLRVNIWWU1QmI0dU1qcHJlWjJiNWlnWHhhVy91VjR5NTBCWSswV1JrZ3hHQitFcXRGcUpuOGxNNzc5RWpnMFNhUE03WVJLeGExZ290WlMiLCJtYWMiOiI1ZDU4MzNjYWQwMDQwYzE0OGEyNzc4ZmY5MTQzZjcyOTA5ZmVhZGIwOWIyZGY0ZTMwNjEyMGE2NzhmNWE2OWY1IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:15 GMT; Max-Age=replaced; path=/
are missing the "HttpOnly" attribute.
impact:
solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 80¶
- 5.0 - Missing HttpOnly Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - a31438d4-24ad-4897-b58d-c4c8d8b40502 - 1.3.6.1.4.1.25623.1.0.105925
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6Im42U1pEQmlKNTRHTVA1MXgzSUdvZ2c9PSIsInZhbHVlIjoiWTQ3VHRhcnR4TE5GNHlWMU9wNkRXc1BYN3JJZFdSczM2REpFZkVrVERJdlpGUjYyMXJzTUZPTDAxSEV4a2dvenJndDY2c0Ntdk5wWWR2U3A4bmhOTlJEK1JHMjZwWHpzZDkvTmlMSW83SXVYWlU2QzVDV1dDTlV6MndqSk1sMTAiLCJtYWMiOiJlZDdkYzEzOTY3ZjlhZTY2MzRjN2FiMmU1NmI4Y2M2NTE3NGIyODJjYjNhYTcxYzdiNzZkMDY1OTkzNmI5MDIxIiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:21:11 GMT; Max-Age=replaced; path=/
are missing the "HttpOnly" attribute.
impact:
solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443¶
- 5.0 - Missing HttpOnly Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - ee973ff2-9ff5-42ac-8875-33d72cae6b9d - 1.3.6.1.4.1.25623.1.0.105925
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6IjlhaXRyZ3VQOExZaWZFMVlFSGZUdXc9PSIsInZhbHVlIjoiQzVSTm54dU5jS21kQzFKMjkrNE5KQmozU0NBc29FTFprd2luSUF2aUFyQkxFbWpkRVd1VTdGOG9IOHNvN3E3dENUMjVUYUk3NUt3TmhYOGNaT0tGUXVQNHdEZUlSWnBoWEF4Q3QzaENPOWxzYS96TnRxdTJsNFoxeUZNYzgxVVUiLCJtYWMiOiJiY2M0NTY1ZjU1OTBjYzVlZTQ1ZGIwMzY5MDRiNDMwMWU4NWI5YjA0ZDEwODU3NzU0MTFiNmUyZDNiNjEyNDViIiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:14 GMT; Max-Age=replaced; path=/
are missing the "HttpOnly" attribute.
impact:
solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443¶
- 5.0 - Missing HttpOnly Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - d56fdad6-09a3-4bf6-a719-085e898d0097 - 1.3.6.1.4.1.25623.1.0.105925
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRJNWl0SzBMQkhHa2lNaVU1MG5BR1E9PSIsInZhbHVlIjoibHFOeEwxVElyZFZXek9DejkrU1lHeTk3eHhJV2UvWG5xM1hzZzBKalhnbE0xbW14V2VSL2M3Qm93amFBUWpOd21MUXNWd3Jiajlmam1LcWppT2I0Z3VEb0NObFJjSHZBS2UvTmRuOWQ5RXU3UW5OdldxZTBLSVpMUmFINU9YMFoiLCJtYWMiOiI4ZTQ4ZTQ5MDZhNGQwOTQwNmJhNTcyYTE1YTNkYzdjMzE4NjJjYzQ3OThkNWNjNmE3MmI4YmY2OTUyZDg2MWU1IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=replaced; path=/
are missing the "HttpOnly" attribute.
impact:
solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.
############################################################
host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443¶
- 5.0 - Missing HttpOnly Cookie Attribute (HTTP)
- 2023-05-15T14:20:48Z - bd3a2a97-7504-4d2a-9cc1-0fc6887a54e4 - 1.3.6.1.4.1.25623.1.0.105925
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookies:
Set-Cookie: XSRF-TOKEN=eyJpdiI6Ik82ckc3TmxKamt3UmpwWFMwb1ZvbXc9PSIsInZhbHVlIjoiRzFKRi9OdkhhYTFwbHZ5ZTJsKy9Bem9KcmFUdmxsenk1QUFSeG5BdGVNWGVJR2NxdTFsbVdyNlZoYjBuVUM4SkF3K3R0Mlk0ek1Xb0c0K0J3TlpkcXRDU1J0NC9GVGFPMllvajduQjVpVzhMMGxxcnRQUmJhdFBHaHJIV3o1UFAiLCJtYWMiOiIzMDY4OTQ2YjZhYjBjZmJhOTIxYjA3MjAwNjk1YWU3NGM5N2UyZjE4MDhkYzBmNjQ3Mzg4ZTdkNjMyMGZkYjY5IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=replaced; path=/
are missing the "HttpOnly" attribute.
impact:
solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.{code}
MK Updated by Magnus Kühne about 2 months ago
Is this something that has to be done, I see the point of having the secure attribute set, I changed that, but for the httpOnly I am not so sure if it is necessary and I could not find a way to do that, within the application itself? [~ga27tun]
Updated by Anonymous about 2 months ago
- Parent task set to #11711