DescriptionAn Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
horizon (PTS)buster3:14.0.2-3+deb10u2fixed
buster (security)3:14.0.2-3+deb10u3fixed
sid, trixie3:23.3.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
horizonsource(unstable)(not affected)


- horizon <not-affected> (Red Hat-specific packaging issue)
Seems to be specific to the way Red Hat distributes Horizon, the Debian
package defaults to SESSION_COOKIE_HTTPONLY = True

Search for package or bug name: Reporting problems