logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-38513 github.com/gofiber/fiber/v2/middleware/session

Package

Manager: go
Name: github.com/gofiber/fiber/v2/middleware/session
Vulnerable Version: >=0 <2.52.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00187 pctl0.40787

Details

Session Middleware Token Injection Vulnerability A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key. ## Impact The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. ## Patches The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. ## Workarounds Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: 1. **Validate Session IDs**: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server. 2. **Session Management**: Regularly rotate session IDs and enforce strict session expiration policies. ## References For more information on session best practices: - [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) Users are encouraged to review these references and take immediate action to secure their applications.

Metadata

Created: 2024-07-01T20:35:03Z
Modified: 2024-07-05T18:00:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-98j2-3j3p-fw2v/GHSA-98j2-3j3p-fw2v.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-98j2-3j3p-fw2v
Finding: F280
Auto approve: 1