GHSA-4m5p-5w5w-3jcf – com.enonic.xp:lib-auth

Package

Manager: maven
Name: com.enonic.xp:lib-auth
Vulnerable Version: >=0 <7.7.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

com.enonic.xp:lib-auth vulnerable to Session Fixation ### Impact All id-providers using lib-auth `login` method. ### Patches https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842 https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4 ### Workarounds Don't use lib-auth for `login`. Java API uses low-level structures and allows to invalidate previous session before auth-info is added. ### References https://github.com/enonic/xp/issues/9253

Metadata

Created: 2022-10-12T20:13:46Z
Modified: 2024-03-01T15:01:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-4m5p-5w5w-3jcf/GHSA-4m5p-5w5w-3jcf.json
CWE IDs: ["CWE-384"]
Alternative ID: N/A
Finding: F280
Auto approve: 1