CWE-488
AllowedExposure of Data Element to Wrong Session
Abstraction: Base · Status: Draft
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
50 vulnerabilities reference this CWE, most recent first.
GHSA-HM8W-PXCF-MJ62
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59Exposure of data element to wrong session in the Intel DCM software before version 5.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-40210"
],
"database_specific": {
"cwe_ids": [
"CWE-488",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:14Z",
"severity": "HIGH"
},
"details": "Exposure of data element to wrong session in the Intel DCM software before version 5.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-hm8w-pxcf-mj62",
"modified": "2024-04-04T03:59:29Z",
"published": "2023-05-10T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40210"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00772.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MFVP-7P3V-X9MH
Vulnerability from github – Published: 2026-05-28 18:30 – Updated: 2026-07-02 18:37In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/casdoor/casdoor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1000.1-0.20260321120606-239e8bd69487"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-9098"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T18:37:59Z",
"nvd_published_at": "2026-05-28T17:16:34Z",
"severity": "CRITICAL"
},
"details": "In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.",
"id": "GHSA-mfvp-7p3v-x9mh",
"modified": "2026-07-02T18:37:59Z",
"published": "2026-05-28T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9098"
},
{
"type": "PACKAGE",
"url": "https://github.com/casdoor/casdoor"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Casdoor SAML callback handler accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest"
}
GHSA-P4RQ-VWGG-386F
Vulnerability from github – Published: 2024-02-08 12:30 – Updated: 2026-05-20 12:30Exposure of Data Element to Wrong Session vulnerability in Mia Technology Inc. MİA-MED allows Read Sensitive Strings Within an Executable.This issue affects MİA-MED: before 1.0.7.
{
"affected": [],
"aliases": [
"CVE-2023-6519"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-08T12:15:55Z",
"severity": "HIGH"
},
"details": "Exposure of Data Element to Wrong Session vulnerability in Mia Technology Inc. M\u0130A-MED allows Read Sensitive Strings Within an Executable.This issue affects M\u0130A-MED: before 1.0.7.",
"id": "GHSA-p4rq-vwgg-386f",
"modified": "2026-05-20T12:30:35Z",
"published": "2024-02-08T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6519"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0087"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHG3-GV66-Q38X
Vulnerability from github – Published: 2025-02-13 15:31 – Updated: 2025-03-03 15:31A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-rest"
},
"ranges": [
{
"events": [
{
"introduced": "3.16.0.CR1"
},
{
"fixed": "3.18.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-rest-deployment"
},
"ranges": [
{
"events": [
{
"introduced": "3.16.0.CR1"
},
{
"fixed": "3.18.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-rest"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0.CR1"
},
{
"fixed": "3.15.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-rest-deployment"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0.CR1"
},
{
"fixed": "3.15.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-rest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-rest-deployment"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-1247"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-13T17:36:18Z",
"nvd_published_at": "2025-02-13T14:16:18Z",
"severity": "HIGH"
},
"details": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.",
"id": "GHSA-phg3-gv66-q38x",
"modified": "2025-03-03T15:31:24Z",
"published": "2025-02-13T15:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1247"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/issues/45789"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/commit/02ff9ed45c3928edf2a0f8b906543606fed7cd53"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/commit/d8df15cec17dc5d085efc372d77cbef1341ae071"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/commit/f42166ee7041ed09b7183d5dbf3ece2439b16676"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1884"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1885"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:2067"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-1247"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172"
},
{
"type": "PACKAGE",
"url": "https://github.com/quarkusio/quarkus"
},
{
"type": "WEB",
"url": "https://quarkus.io/blog/cve-fixes-feb-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance"
}
GHSA-PQMH-9H5R-56PF
Vulnerability from github – Published: 2026-07-04 09:31 – Updated: 2026-07-04 09:31A vulnerability has been found in FederatedAI FATE up to 2.2.0. This affects the function QueuePushReqStreamObserver.initEggroll of the file java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java of the component OSX Broker. Such manipulation of the argument rollSiteSessionId/dstRole/dstPartyId leads to exposure of data element to wrong session. The attack can be executed remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
{
"affected": [],
"aliases": [
"CVE-2026-14621"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-04T09:16:27Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in FederatedAI FATE up to 2.2.0. This affects the function QueuePushReqStreamObserver.initEggroll of the file java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java of the component OSX Broker. Such manipulation of the argument rollSiteSessionId/dstRole/dstPartyId leads to exposure of data element to wrong session. The attack can be executed remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.",
"id": "GHSA-pqmh-9h5r-56pf",
"modified": "2026-07-04T09:31:45Z",
"published": "2026-07-04T09:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14621"
},
{
"type": "WEB",
"url": "https://github.com/FederatedAI/FATE/issues/5791"
},
{
"type": "WEB",
"url": "https://github.com/FederatedAI/FATE/pull/5792"
},
{
"type": "WEB",
"url": "https://github.com/FederatedAI/FATE"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-14621"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/844900"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376137"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376137/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QMVM-MG94-C39P
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-08-14 18:32In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.02.03 and Assetwise Information Integrity Server 23.00.04.04.
{
"affected": [],
"aliases": [
"CVE-2024-27455"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-26T16:28:00Z",
"severity": "CRITICAL"
},
"details": "In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user\u0027s ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.02.03 and Assetwise Information Integrity Server 23.00.04.04.",
"id": "GHSA-qmvm-mg94-c39p",
"modified": "2024-08-14T18:32:36Z",
"published": "2024-02-26T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27455"
},
{
"type": "WEB",
"url": "https://www.bentley.com/advisories/be-2024-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VFGC-WR54-M4R5
Vulnerability from github – Published: 2024-03-14 03:31 – Updated: 2024-03-14 03:31This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.
{
"affected": [],
"aliases": [
"CVE-2024-1223"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-14T03:15:07Z",
"severity": "MODERATE"
},
"details": "This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.",
"id": "GHSA-vfgc-wr54-m4r5",
"modified": "2024-03-14T03:31:15Z",
"published": "2024-03-14T03:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1223"
},
{
"type": "WEB",
"url": "https://www.papercut.com/kb/Main/Security-Bulletin-March-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ28-G7J2-2WXF
Vulnerability from github – Published: 2024-09-02 12:30 – Updated: 2024-09-02 12:30A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP TLS certificate and key can be exposed to unauthorized users. This flaw allows a malicious user on the system to take control of the RDP client connection during the login screen-to-user session transition.
{
"affected": [],
"aliases": [
"CVE-2024-5148"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-02T12:15:19Z",
"severity": "HIGH"
},
"details": "A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP TLS certificate and key can be exposed to unauthorized users. This flaw allows a malicious user on the system to take control of the RDP client connection during the login screen-to-user session transition.",
"id": "GHSA-vj28-g7j2-2wxf",
"modified": "2024-09-02T12:30:45Z",
"published": "2024-09-02T12:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5148"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-5148"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282003"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/196"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VXG9-7HHF-P3MH
Vulnerability from github – Published: 2024-08-13 09:30 – Updated: 2024-08-13 09:30A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.1), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.1), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8.1), SCALANCE M812-1 ADSL-Router family (All versions < V8.1), SCALANCE M816-1 ADSL-Router family (All versions < V8.1), SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2) (All versions < V8.1), SCALANCE M874-2 (6GK5874-2AA00-2AA2) (All versions < V8.1), SCALANCE M874-3 (6GK5874-3AA00-2AA2) (All versions < V8.1), SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2) (All versions < V8.1), SCALANCE M876-3 (6GK5876-3AA02-2BA2) (All versions < V8.1), SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2) (All versions < V8.1), SCALANCE M876-4 (6GK5876-4AA10-2BA2) (All versions < V8.1), SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2) (All versions < V8.1), SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2) (All versions < V8.1), SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1) (All versions < V8.1), SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1) (All versions < V8.1), SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1) (All versions < V8.1), SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1) (All versions < V8.1), SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1) (All versions < V8.1), SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1) (All versions < V8.1), SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1) (All versions < V8.1), SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1) (All versions < V8.1), SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2) (All versions < V8.1), SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2) (All versions < V8.1). Affected devices do not properly enforce isolation between user sessions in their web server component. This could allow an authenticated remote attacker to escalate their privileges on the devices.
{
"affected": [],
"aliases": [
"CVE-2024-41977"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T08:15:15Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions \u003c V8.1), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions \u003c V8.1), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions \u003c V8.1), SCALANCE M812-1 ADSL-Router family (All versions \u003c V8.1), SCALANCE M816-1 ADSL-Router family (All versions \u003c V8.1), SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2) (All versions \u003c V8.1), SCALANCE M874-2 (6GK5874-2AA00-2AA2) (All versions \u003c V8.1), SCALANCE M874-3 (6GK5874-3AA00-2AA2) (All versions \u003c V8.1), SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2) (All versions \u003c V8.1), SCALANCE M876-3 (6GK5876-3AA02-2BA2) (All versions \u003c V8.1), SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2) (All versions \u003c V8.1), SCALANCE M876-4 (6GK5876-4AA10-2BA2) (All versions \u003c V8.1), SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2) (All versions \u003c V8.1), SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2) (All versions \u003c V8.1), SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1) (All versions \u003c V8.1), SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1) (All versions \u003c V8.1), SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1) (All versions \u003c V8.1), SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1) (All versions \u003c V8.1), SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1) (All versions \u003c V8.1), SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1) (All versions \u003c V8.1), SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1) (All versions \u003c V8.1), SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1) (All versions \u003c V8.1), SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2) (All versions \u003c V8.1), SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2) (All versions \u003c V8.1). Affected devices do not properly enforce isolation between user sessions in their web server component. This could allow an authenticated remote attacker to escalate their privileges on the devices.",
"id": "GHSA-vxg9-7hhf-p3mh",
"modified": "2024-08-13T09:30:52Z",
"published": "2024-08-13T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41977"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-087301.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WRQV-PF6J-MQJP
Vulnerability from github – Published: 2024-03-05 20:49 – Updated: 2024-03-21 18:29Summary
A vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior.
Details
A bug in Deno's Node.js compatibility runtime results in data cross-reception during simultaneous asynchronous reads from Node.js network streams. When multiple independent network socket connections are involved, this vulnerability can be triggered. For instance, two separate server sockets that receive data from their respective client sockets and then echo the received data back to the client using Node.js streams may experience an issue where data from one socket may appear on another socket. Due to the improper isolation of the global buffer (BUF), data sent by one socket can end up being incorrectly received by another socket. Consequently, data intended for one session may be exposed to another session, potentially leading to data corruption and unexpected behavior.
This buffer was introduced as a performance optimization to avoid excessive allocations during network read operations.
In cases where the net.Stream is connected to a remote server such as a database or key/value store such as Redis, this may result in a packet received on one connection being presented to another, causing data cross-contamination between multiple users and potentially leaking sensitive information.
It is important to note that this vulnerability does not affect Deno network streams created with the Deno.listen and Deno.connect APIs.
The impact of this issue may extend beyond node.js network streams, however, and may also affect asynchronous reads from non-network node.js Stream such as those created from files.
PoC
https://github.com/denoland/deno/issues/20188
Impact
This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "deno"
},
"ranges": [
{
"events": [
{
"introduced": "1.35.1"
},
{
"fixed": "1.36.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27935"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-05T20:49:14Z",
"nvd_published_at": "2024-03-21T02:52:22Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior.\n\n### Details\n\nA bug in Deno\u0027s Node.js compatibility runtime results in data cross-reception during simultaneous asynchronous reads from Node.js network streams. When multiple independent network socket connections are involved, this vulnerability can be triggered. For instance, two separate server sockets that receive data from their respective client sockets and then echo the received data back to the client using Node.js streams may experience an issue where data from one socket may appear on another socket. Due to the improper isolation of the global buffer (`BUF`), data sent by one socket can end up being incorrectly received by another socket. Consequently, data intended for one session may be exposed to another session, potentially leading to data corruption and unexpected behavior.\n\nThis buffer was introduced as a performance optimization to avoid excessive allocations during network read operations.\n\nIn cases where the [net.Stream](https://nodejs.org/api/net.html) is connected to a remote server such as a database or key/value store such as Redis, this may result in a packet received on one connection being presented to another, causing data cross-contamination between multiple users and potentially leaking sensitive information.\n\nIt is important to note that this vulnerability does not affect Deno network streams created with the `Deno.listen` and `Deno.connect` APIs. \n\nThe impact of this issue may extend beyond node.js network streams, however, and may also affect asynchronous reads from non-network node.js Stream such as those created from files.\n\n### PoC\n\nhttps://github.com/denoland/deno/issues/20188\n\n### Impact\n\nThis affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly.\n",
"id": "GHSA-wrqv-pf6j-mqjp",
"modified": "2024-03-21T18:29:19Z",
"published": "2024-03-05T20:49:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27935"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/issues/20188"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
},
{
"type": "PACKAGE",
"url": "https://github.com/denoland/deno"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Deno\u0027s Node.js Compatibility Runtime has Cross-Session Data Contamination"
}
Mitigation
Protect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions.
Mitigation
Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).
Mitigation
In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.