Upstream information

CVE-2010-0386 at MITRE

Description

The default configuration of Sun Java System Application Server 7 and 7 2004Q2 enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.3
Vector AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Note from the SUSE Security Team

The SUSE Linux Enterprise default apache2 configuration still allows the 'TRACE' primitive, as the apache httpd team does not consider this a specific server side vulnerability. Please refer to their page for more discussion and a method to disable TRACE using mod_rewrite.

SUSE Bugzilla entry: 1058233 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.