Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00bTVwLTV3NXctM2pjZs4AAvTD
com.enonic.xp:lib-auth vulnerable to Session Fixation
Impact
All id-providers using lib-auth login method.
Patches
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
Workarounds
Don't use lib-auth for login.
Java API uses low-level structures and allows to invalidate previous session before auth-info is added.
References
https://github.com/enonic/xp/issues/9253
Permalink: https://github.com/advisories/GHSA-4m5p-5w5w-3jcfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00bTVwLTV3NXctM2pjZs4AAvTD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 3 months ago
Identifiers: GHSA-4m5p-5w5w-3jcf
References:
- https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
- https://github.com/enonic/xp/issues/9253
- https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
- https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
- https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
- https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
Blast Radius: 1.0
Affected Packages
maven:com.enonic.xp:lib-auth
Dependent packages: 1Dependent repositories: 0
Downloads:
Affected Version Ranges: < 7.7.4
Fixed in: 7.7.4
All affected versions:
All unaffected versions: 7.11.0, 7.11.1, 7.11.3, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5, 7.14.0, 7.14.1