Описание
com.enonic.xp:lib-auth vulnerable to Session Fixation
Impact
All id-providers using lib-auth login method.
Patches
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842 https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
Workarounds
Don't use lib-auth for login.
Java API uses low-level structures and allows to invalidate previous session before auth-info is added.
References
Ссылки
- https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
- https://nvd.nist.gov/vuln/detail/CVE-2024-23679
- https://github.com/enonic/xp/issues/9253
- https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
- https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
- https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
- https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf
Пакеты
Наименование
com.enonic.xp:lib-auth
maven
Затронутые версииВерсия исправления
< 7.7.4
7.7.4
Связанные уязвимости
CVSS3: 9.8
nvd
около 2 лет назад
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.