CWE-384
AllowedSession Fixation
Abstraction: Compound · Status: Incomplete
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
547 vulnerabilities reference this CWE, most recent first.
GHSA-M2WJ-R6G3-FXFX
Vulnerability from github – Published: 2023-11-12 15:51 – Updated: 2023-11-12 15:51Description
SessionStrategyListener does not always migrate the session after a successful login. It only migrate the session when the logged-in user identifier changes. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations.
Resolution
Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Robert Meijers for reporting the issue and providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.21"
},
{
"fixed": "5.4.31"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.7"
},
{
"fixed": "6.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.21"
},
{
"fixed": "5.4.31"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.7"
},
{
"fixed": "6.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46733"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-12T15:51:54Z",
"nvd_published_at": "2023-11-10T18:15:09Z",
"severity": "MODERATE"
},
"details": "### Description\n\nSessionStrategyListener does not always migrate the session after a successful login. It only migrate the session when the logged-in user identifier changes. In some use cases, the user identifier doesn\u0027t change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations.\n\n### Resolution\n\nSymfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74) for branch 5.4.\n\n### Credits\n\nWe would like to thank Robert Meijers for reporting the issue and providing the fix.",
"id": "GHSA-m2wj-r6g3-fxfx",
"modified": "2023-11-12T15:51:54Z",
"published": "2023-11-12T15:51:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46733"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/7467bd7e3f888b333102bc664b5e02ef1e7f88b9"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46733.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2023-46733"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Symfony possible session fixation vulnerability"
}
GHSA-M53V-5X5X-5M2P
Vulnerability from github – Published: 2022-11-15 12:00 – Updated: 2022-11-22 00:12Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-43687"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-22T00:12:25Z",
"nvd_published_at": "2022-11-14T23:15:00Z",
"severity": "MODERATE"
},
"details": "Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.",
"id": "GHSA-m53v-5x5x-5m2p",
"modified": "2022-11-22T00:12:25Z",
"published": "2022-11-15T12:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43687"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
},
{
"type": "WEB",
"url": "https://github.com/concretecms/concretecms/releases/8.5.10"
},
{
"type": "WEB",
"url": "https://github.com/concretecms/concretecms/releases/9.1.3"
},
{
"type": "WEB",
"url": "https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Concrete CMS vulnerable to Session Fixation"
}
GHSA-M6M8-C4CV-C66J
Vulnerability from github – Published: 2026-01-09 12:32 – Updated: 2026-01-09 12:32This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission.
Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device.
{
"affected": [],
"aliases": [
"CVE-2026-22082"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-09T12:15:54Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission.\n \nSuccessful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device.",
"id": "GHSA-m6m8-c4cv-c66j",
"modified": "2026-01-09T12:32:26Z",
"published": "2026-01-09T12:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22082"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M7J6-FV82-Q34R
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-12-03 15:30IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949.
{
"affected": [],
"aliases": [
"CVE-2019-4439"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-25T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949.",
"id": "GHSA-m7j6-fv82-q34r",
"modified": "2022-12-03T15:30:26Z",
"published": "2022-05-24T16:51:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4439"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/162949"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10884892"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MC87-MP22-885H
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2.
{
"affected": [],
"aliases": [
"CVE-2022-2820"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-384",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2.",
"id": "GHSA-mc87-mp22-885h",
"modified": "2022-08-17T00:00:23Z",
"published": "2022-08-16T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2820"
},
{
"type": "WEB",
"url": "https://github.com/namelessmc/nameless/commit/469bebc17855720e43f0c8209c88a57d2b55f6de"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/df06b7d7-6077-43a5-bd81-3cc66f0d4d19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MCG7-2PF9-M48G
Vulnerability from github – Published: 2024-10-29 18:30 – Updated: 2024-10-30 18:30In NetAdmin 4.0.30319, an attacker can steal a valid session cookie and inject it into another device, granting unauthorized access. This type of attack is commonly referred to as session hijacking.
{
"affected": [],
"aliases": [
"CVE-2024-48955"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T18:15:05Z",
"severity": "HIGH"
},
"details": "In NetAdmin 4.0.30319, an attacker can steal a valid session cookie and inject it into another device, granting unauthorized access. This type of attack is commonly referred to as session hijacking.",
"id": "GHSA-mcg7-2pf9-m48g",
"modified": "2024-10-30T18:30:48Z",
"published": "2024-10-29T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48955"
},
{
"type": "WEB",
"url": "https://github.com/BrotherOfJhonny/CVE-2024-48955_Overview"
},
{
"type": "WEB",
"url": "https://netadmin.software/gestao-de-identidade-e-acesso"
},
{
"type": "WEB",
"url": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2024-48955\u0026sortby=bydate"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MCQX-WC2J-QX9V
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2024-01-09 22:38An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.29"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:github-oauth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-1003019"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-09T22:38:20Z",
"nvd_published_at": "2019-02-06T16:29:00Z",
"severity": "MODERATE"
},
"details": "An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.",
"id": "GHSA-mcqx-wc2j-qx9v",
"modified": "2024-01-09T22:38:20Z",
"published": "2022-05-13T01:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003019"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/github-oauth-plugin/commit/3fcc367022c58486e5f52def3edbac92ed258ba4"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/github-oauth-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "GitHub Authentication Plugin session fixation vulnerability"
}
GHSA-MQ32-H66W-P4V5
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392.
{
"affected": [],
"aliases": [
"CVE-2017-12225"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-07T21:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user\u0027s administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user\u0027s session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392.",
"id": "GHSA-mq32-h66w-p4v5",
"modified": "2022-05-13T01:38:09Z",
"published": "2022-05-13T01:38:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12225"
},
{
"type": "WEB",
"url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf58392"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-prime-lms"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039285"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MQ4X-R2W3-J7MR
Vulnerability from github – Published: 2024-03-11 21:25 – Updated: 2025-01-07 18:36Impact
ZITADEL uses a cookie to identify the user agent (browser) and its user sessions.
Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work.
If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain.
Patches
2.x versions are fixed on >= 2.46.0 2.45.x versions are fixed on >= 2.45.1 2.44.x versions are fixed on >= 2.44.3
ZITADEL recommends upgrading to the latest versions available in due course.
Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty.
Workarounds
For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your ZITADEL instance (e.g. within your WAF): __Secure-zitadel-useragent
References
None
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.44.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.45.0"
},
{
"fixed": "2.45.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28197"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-11T21:25:52Z",
"nvd_published_at": "2024-03-11T20:15:07Z",
"severity": "HIGH"
},
"details": "### Impact\nZITADEL uses a cookie to identify the user agent (browser) and its user sessions. \n\nAlthough the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim\u2019s account in certain scenarios. \nA possible victim would need to login through the malicious link for this exploit to work. \n\nIf the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain.\n\n### Patches\n2.x versions are fixed on \u003e= [2.46.0](https://github.com/zitadel/zitadel/releases/tag/v2.46.0)\n2.45.x versions are fixed on \u003e= [2.45.1](https://github.com/zitadel/zitadel/releases/tag/v2.45.1)\n2.44.x versions are fixed on \u003e= [2.44.3](https://github.com/zitadel/zitadel/releases/tag/v2.44.3)\n\nZITADEL recommends upgrading to the latest versions available in due course.\n\nNote that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty.\n\n### Workarounds\nFor self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your ZITADEL instance (e.g. within your WAF): `__Secure-zitadel-useragent`\n\n### References\nNone\n\n### Questions\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\nThanks to Amit Laish \u2013 GE Vernova for finding and reporting the vulnerability.",
"id": "GHSA-mq4x-r2w3-j7mr",
"modified": "2025-01-07T18:36:00Z",
"published": "2024-03-11T21:25:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28197"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/d4c553b75a214e41299af010ef4b26174a0f802c"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/e82cb51eb819c6cdba8123c9c34c5739b46b29eb"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA]"
}
GHSA-MQPQ-8WG5-2CPJ
Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-11 12:00VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token.
{
"affected": [],
"aliases": [
"CVE-2022-31689"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-09T21:15:00Z",
"severity": "CRITICAL"
},
"details": "VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token.",
"id": "GHSA-mqpq-8wg5-2cpj",
"modified": "2022-11-11T12:00:34Z",
"published": "2022-11-10T12:01:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31689"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2022-0028.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Invalidate any existing session identifiers prior to authorizing a new user session.
Mitigation
For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-196: Session Credential Falsification through Forging
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-61: Session Fixation
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.