| Name | CVE-2017-6807 |
| Description | mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libapache2-mod-auth-mellon (PTS) | buster | 0.14.2-1 | fixed |
| buster (security) | 0.14.2-1+deb10u1 | fixed |
| bullseye | 0.17.0-1+deb11u1 | fixed |
| bookworm | 0.18.1-1 | fixed |
| sid, trixie | 0.19.0-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
[jessie] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)