Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-10714

Опубликовано: 28 апр. 2020
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Меры по смягчению последствий

This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes. The server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link.

<session-config> <tracking-mode>URL</tracking-mode> </session-config>

TO

<session-config> <tracking-mode>COOKIE</tracking-mode> </session-config>

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat CodeReady Studio 12wildfly-elytronAffected
Red Hat Data Grid 8wildfly-elytronNot affected
Red Hat OpenShift Application Runtimeswildfly-elytronAffected
EAP-CD 20 Tech Previewwildfly-elytronFixedRHSA-2020:358531.08.2020
Red Hat Data Grid 7.3.7wildfly-elytronFixedRHSA-2020:377917.09.2020
Red Hat Fuse 7.9wildfly-elytronFixedRHSA-2021:314011.08.2021
Red Hat JBoss Enterprise Application Platform 7wildfly-elytronFixedRHSA-2020:364207.09.2020
Red Hat JBoss Enterprise Application Platform 7wildfly-elytronFixedRHSA-2020:346417.08.2020
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6eap7-dom4jFixedRHSA-2020:363707.09.2020
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6eap7-elytron-webFixedRHSA-2020:363707.09.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-384
https://bugzilla.redhat.com/show_bug.cgi?id=1825714wildfly-elytron: session fixation when using FORM authentication

EPSS

Процентиль: 58%
0.00366
Низкий

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-10714

CVSS3: 7.5
nvd
больше 5 лет назад

A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

github логотип

GHSA-7fhr-2694-rg79

CVSS3: 7.5
github
почти 4 года назад

Session Fixation in WildFly Elytron

EPSS

Процентиль: 58%
0.00366
Низкий

7.5 High

CVSS3