GHSA-96c6-m98x-hxjx – zendframework/zend-session

Package

Manager: composer
Name: zendframework/zend-session
Vulnerable Version: >=2.0.0 <2.2.9 || >=2.3.0 <2.3.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Zend-Session session validation vulnerability `Zend\Session` session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where $this->manager is an instance of `Zend\Session\SessionManager`): ``` $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); ``` The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. An attacker is thus able to simply ignore session validators such as `RemoteAddr` or `HttpUserAgent`, since the "signature" that these validators check against is not being stored in the session.

Metadata

Created: 2024-06-07T21:25:23Z
Modified: 2024-06-07T21:25:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-96c6-m98x-hxjx/GHSA-96c6-m98x-hxjx.json
CWE IDs: ["CWE-384"]
Alternative ID: N/A
Finding: F280
Auto approve: 1