GHSA-4m3m-ppvx-xgw9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4m3m-ppvx-xgw9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-4m3m-ppvx-xgw9/GHSA-4m3m-ppvx-xgw9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4m3m-ppvx-xgw9
- Aliases
- Published
- 2023-04-21T22:33:30Z
- Modified
- 2023-11-08T04:12:16.421461Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Session fixation in fastify-passport
- Details
-
Applications using
@fastify/passportfor user authentication, in combination with@fastify/sessionas the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers.Details
fastify applications rely on the
@fastify/passportlibrary for user authentication. The login and user validation are performed by theauthenticatefunction. When executing this function, thesessionIdis preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a validsessionIdcookie in the victim's browser and waiting for the victim to log in on the website.Fix
As a solution, newer versions of
@fastify/passportregeneratesessionIdupon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session.Credits
- Pedro Adão (@pedromigueladao), Instituto Superior Técnico, University of Lisbon
- Marco Squarcina (@lavish), Security & Privacy Research Unit, TU Wien
- Database specific
{ "nvd_published_at": "2023-04-21T23:15:20Z", "severity": "HIGH", "github_reviewed_at": "2023-04-21T22:33:30Z", "github_reviewed": true, "cwe_ids": [ "CWE-384" ] }- References
-
- https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9
- https://nvd.nist.gov/vuln/detail/CVE-2023-29019
- https://github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11
- https://github.com/fastify/fastify-passport
- https://owasp.org/www-community/attacks/Session_fixation
Affected packages
npm / @fastify/passport
Package
- Name
- @fastify/passport
- View open source insights on deps.dev
- Purl
- pkg:npm/%40fastify/passport
npm / @fastify/passport
Package
- Name
- @fastify/passport
- View open source insights on deps.dev
- Purl
- pkg:npm/%40fastify/passport