CVE-2018-1000519

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-1000519

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000519.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1000519

Aliases

Published

2018-06-26T16:29:01.307Z

Modified

2025-11-20T10:45:17.432046Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

aio-libs aiohttp-session contains a Session Fixation vulnerability in loadsession function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttpsession/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).

References

Affected packages

Git / github.com/aio-libs/aiohttp-session

Affected ranges

Type: GIT
Repo: https://github.com/aio-libs/aiohttp-session
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fb095051cb9e1f4c121270ae2ddc6c893cdd192f

Affected versions

v0.*

v0.0.1

v0.1.0

v0.1.1

v0.1.2

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.7.1

v0.8.0

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.2.0

v1.2.1

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.2.0

v2.3.0