Fluid Attacks Database

Description

The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10399 and CVE-2014-10400 were SPLIT from this ID.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	lua-cgi	=5.2~alpha2-1.1 \|\| =5.2~alpha2-2 \|\| =6.0.2-1 \|\| =6.0.2-2
debian 12	lua-cgi	=5.2~alpha2-2 \|\| =6.0.2-1 \|\| =6.0.2-2
debian 13	lua-cgi	=5.2~alpha2-2 \|\| =6.0.2-1 \|\| =6.0.2-2

Aliases

1. CVE-2014-28752. NVD-2014-28753. OSV-DEBIAN-2014-28754. OSV-2014-28755. SECURITY-TRACKER-CVE-2014-2875

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.