GHSA-4m5p-5w5w-3jcf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-4m5p-5w5w-3jcf/GHSA-4m5p-5w5w-3jcf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4m5p-5w5w-3jcf
- Aliases
- Published
- 2022-10-12T20:13:46Z
- Modified
- 2024-03-01T15:01:10Z
- Summary
- com.enonic.xp:lib-auth vulnerable to Session Fixation
- Details
-
Impact
All id-providers using lib-auth
loginmethod.Patches
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842 https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
Workarounds
Don't use lib-auth for
login. Java API uses low-level structures and allows to invalidate previous session before auth-info is added.References
https://github.com/enonic/xp/issues/9253
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-384" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-10-12T20:13:46Z" }- References
-
- https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
- https://github.com/enonic/xp/issues/9253
- https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
- https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
- https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
- https://github.com/enonic/xp
Affected packages
Maven / com.enonic.xp:lib-auth
Package
- Name
- com.enonic.xp:lib-auth
- View open source insights on deps.dev
- Purl
- pkg:maven/com.enonic.xp/lib-auth