CVE-2018-1000814

Опубликовано: 20 дек. 2018

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.

Ссылки

https://github.com/aio-libs/aiohttp-session/issues/325
Exploit
Third Party Advisory
https://github.com/aio-libs/aiohttp-session/pull/331
Patch
Third Party Advisory
https://github.com/aio-libs/aiohttp-session/issues/325
Exploit
Third Party Advisory
https://github.com/aio-libs/aiohttp-session/pull/331
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:aio-libs:aiohttp_session:*:*:*:*:*:*:*:*

Версия до 2.6.0 (включая)

EPSS

Процентиль: 47%

0.00241

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-613

Связанные уязвимости

GHSA-mr4x-c4v9-x729