logo

Database

Session Fixation In aiohttp-session

Description

aiohttp-session creates non-expiring sessions aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2018-10008142. NVD-2018-10008143. OSV-2018-10008144. GHSA-mr4x-c4v9-x7295. GCVE-2018-1000814

References

1. https://github.com/aio-libs/aiohttp-session/issues/3252. https://github.com/aio-libs/aiohttp-session/pull/3313. https://github.com/aio-libs/aiohttp-session/commit/1b356f01bbab57d041c9a75bacd72fbbf85247284. https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp-session/PYSEC-2018-35.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-TK1ML – Vulnerability | Fluid Attacks Database