CVSS 3 Base Score: 4.3Posted On: December 8, 2015Assessed Risk Level: MediumIn previous releases, the JSESSIONID cookie served by the PE console did not have the Secure flag set. Although the PE Console uses HTTPS by default, a remote attacker could cause a user to send JSESSIONID cookies in plain text over an HTTP session, potentially allowing the session to be hijacked.In PE 2015.3, the JSESSIONID cookie set by the PE Console has the Secure flag set by default.Status:Affected software versions:Puppet Enterprise 3.7.xPuppet Enterprise 3.8.xPuppet Enterprise 2015.2.xResolved in:Puppet Enterprise 2015.3.0← Back to CVE Listings