Common Weakness Enumeration

CWE-384

Allowed

Session Fixation

Abstraction: Compound · Status: Incomplete

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

547 vulnerabilities reference this CWE, most recent first.

GHSA-M2WJ-R6G3-FXFX

Vulnerability from github – Published: 2023-11-12 15:51 – Updated: 2023-11-12 15:51
VLAI
Summary
Symfony possible session fixation vulnerability
Details

Description

SessionStrategyListener does not always migrate the session after a successful login. It only migrate the session when the logged-in user identifier changes. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations.

Resolution

Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Robert Meijers for reporting the issue and providing the fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.4.21"
            },
            {
              "fixed": "5.4.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.2.7"
            },
            {
              "fixed": "6.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.4.21"
            },
            {
              "fixed": "5.4.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.2.7"
            },
            {
              "fixed": "6.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-12T15:51:54Z",
    "nvd_published_at": "2023-11-10T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Description\n\nSessionStrategyListener does not always migrate the session after a successful login. It only migrate the session when the logged-in user identifier changes. In some use cases, the user identifier doesn\u0027t change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations.\n\n### Resolution\n\nSymfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74) for branch 5.4.\n\n### Credits\n\nWe would like to thank Robert Meijers for reporting the issue and providing the fix.",
  "id": "GHSA-m2wj-r6g3-fxfx",
  "modified": "2023-11-12T15:51:54Z",
  "published": "2023-11-12T15:51:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/7467bd7e3f888b333102bc664b5e02ef1e7f88b9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46733.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2023-46733"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Symfony possible session fixation vulnerability"
}

GHSA-M53V-5X5X-5M2P

Vulnerability from github – Published: 2022-11-15 12:00 – Updated: 2022-11-22 00:12
VLAI
Summary
Concrete CMS vulnerable to Session Fixation
Details

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-43687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-22T00:12:25Z",
    "nvd_published_at": "2022-11-14T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.",
  "id": "GHSA-m53v-5x5x-5m2p",
  "modified": "2022-11-22T00:12:25Z",
  "published": "2022-11-15T12:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43687"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/concretecms/concretecms/releases/8.5.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/concretecms/concretecms/releases/9.1.3"
    },
    {
      "type": "WEB",
      "url": "https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Concrete CMS vulnerable to Session Fixation"
}

GHSA-M6M8-C4CV-C66J

Vulnerability from github – Published: 2026-01-09 12:32 – Updated: 2026-01-09 12:32
VLAI
Details

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission.

Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-09T12:15:54Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission.\n  \nSuccessful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device.",
  "id": "GHSA-m6m8-c4cv-c66j",
  "modified": "2026-01-09T12:32:26Z",
  "published": "2026-01-09T12:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22082"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M7J6-FV82-Q34R

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-12-03 15:30
VLAI
Details

IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-25T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949.",
  "id": "GHSA-m7j6-fv82-q34r",
  "modified": "2022-12-03T15:30:26Z",
  "published": "2022-05-24T16:51:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4439"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/162949"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10884892"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MC87-MP22-885H

Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00
VLAI
Details

Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-15T11:21:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2.",
  "id": "GHSA-mc87-mp22-885h",
  "modified": "2022-08-17T00:00:23Z",
  "published": "2022-08-16T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/namelessmc/nameless/commit/469bebc17855720e43f0c8209c88a57d2b55f6de"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/df06b7d7-6077-43a5-bd81-3cc66f0d4d19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCG7-2PF9-M48G

Vulnerability from github – Published: 2024-10-29 18:30 – Updated: 2024-10-30 18:30
VLAI
Details

In NetAdmin 4.0.30319, an attacker can steal a valid session cookie and inject it into another device, granting unauthorized access. This type of attack is commonly referred to as session hijacking.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T18:15:05Z",
    "severity": "HIGH"
  },
  "details": "In NetAdmin 4.0.30319, an attacker can steal a valid session cookie and inject it into another device, granting unauthorized access. This type of attack is commonly referred to as session hijacking.",
  "id": "GHSA-mcg7-2pf9-m48g",
  "modified": "2024-10-30T18:30:48Z",
  "published": "2024-10-29T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48955"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BrotherOfJhonny/CVE-2024-48955_Overview"
    },
    {
      "type": "WEB",
      "url": "https://netadmin.software/gestao-de-identidade-e-acesso"
    },
    {
      "type": "WEB",
      "url": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2024-48955\u0026sortby=bydate"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCQX-WC2J-QX9V

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2024-01-09 22:38
VLAI
Summary
GitHub Authentication Plugin session fixation vulnerability
Details

An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.29"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:github-oauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-1003019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T22:38:20Z",
    "nvd_published_at": "2019-02-06T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.",
  "id": "GHSA-mcqx-wc2j-qx9v",
  "modified": "2024-01-09T22:38:20Z",
  "published": "2022-05-13T01:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/github-oauth-plugin/commit/3fcc367022c58486e5f52def3edbac92ed258ba4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/github-oauth-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GitHub Authentication Plugin session fixation vulnerability"
}

GHSA-MQ32-H66W-P4V5

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-07T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user\u0027s administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user\u0027s session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392.",
  "id": "GHSA-mq32-h66w-p4v5",
  "modified": "2022-05-13T01:38:09Z",
  "published": "2022-05-13T01:38:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12225"
    },
    {
      "type": "WEB",
      "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf58392"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-prime-lms"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039285"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQ4X-R2W3-J7MR

Vulnerability from github – Published: 2024-03-11 21:25 – Updated: 2025-01-07 18:36
VLAI
Summary
Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
Details

Impact

ZITADEL uses a cookie to identify the user agent (browser) and its user sessions.

Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work.

If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain.

Patches

2.x versions are fixed on >= 2.46.0 2.45.x versions are fixed on >= 2.45.1 2.44.x versions are fixed on >= 2.44.3

ZITADEL recommends upgrading to the latest versions available in due course.

Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty.

Workarounds

For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your ZITADEL instance (e.g. within your WAF): __Secure-zitadel-useragent

References

None

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.44.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.45.0"
            },
            {
              "fixed": "2.45.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-11T21:25:52Z",
    "nvd_published_at": "2024-03-11T20:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nZITADEL uses a cookie to identify the user agent (browser) and its user sessions. \n\nAlthough the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim\u2019s account in certain scenarios. \nA possible victim would need to login through the malicious link for this exploit to work. \n\nIf the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain.\n\n### Patches\n2.x versions are fixed on \u003e= [2.46.0](https://github.com/zitadel/zitadel/releases/tag/v2.46.0)\n2.45.x versions are fixed on \u003e= [2.45.1](https://github.com/zitadel/zitadel/releases/tag/v2.45.1)\n2.44.x versions are fixed on \u003e= [2.44.3](https://github.com/zitadel/zitadel/releases/tag/v2.44.3)\n\nZITADEL recommends upgrading to the latest versions available in due course.\n\nNote that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty.\n\n### Workarounds\nFor self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your ZITADEL instance (e.g. within your WAF): `__Secure-zitadel-useragent`\n\n### References\nNone\n\n### Questions\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\nThanks to Amit Laish \u2013 GE Vernova for finding and reporting the vulnerability.",
  "id": "GHSA-mq4x-r2w3-j7mr",
  "modified": "2025-01-07T18:36:00Z",
  "published": "2024-03-11T21:25:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/d4c553b75a214e41299af010ef4b26174a0f802c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/e82cb51eb819c6cdba8123c9c34c5739b46b29eb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA]"
}

GHSA-MQPQ-8WG5-2CPJ

Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-11 12:00
VLAI
Details

VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token.",
  "id": "GHSA-mqpq-8wg5-2cpj",
  "modified": "2022-11-11T12:00:34Z",
  "published": "2022-11-10T12:01:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31689"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2022-0028.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Invalidate any existing session identifiers prior to authorizing a new user session.

Mitigation
Architecture and Design

For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-196: Session Credential Falsification through Forging

An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.

CAPEC-21: Exploitation of Trusted Identifiers

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

CAPEC-39: Manipulating Opaque Client-based Data Tokens

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

CAPEC-61: Session Fixation

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.