VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 9 of 11
  • CVE-2023-24456Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

  • CVE-2023-24444Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

  • CVE-2023-24424Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.

  • CVE-2023-24427Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

  • CVE-2023-22479Jan 10, 2023
    risk 0.00cvss epss 0.00

    KubePi is a modern Kubernetes panel. A session fixation attack allows an attacker to hijack a legitimate user session, versions 1.6.3 and below are susceptible. A patch will be released in version 1.6.4.

  • CVE-2022-36437Dec 29, 2022
    risk 0.00cvss epss 0.01

    The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and…

  • CVE-2022-4231Nov 30, 2022
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. This issue affects some unknown processing of the component Remember Me Handler. The manipulation leads to session fixiation. The attack may be initiated remotely. The…

  • CVE-2022-43687Nov 14, 2022
    risk 0.00cvss epss 0.01

    Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

  • CVE-2022-3269Sep 23, 2022
    risk 0.00cvss epss 0.01

    Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.

  • CVE-2022-38054Sep 2, 2022
    risk 0.00cvss epss 0.02

    In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.

  • CVE-2022-2997Aug 25, 2022
    risk 0.00cvss epss 0.01

    Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.

  • CVE-2022-25896Jul 1, 2022
    risk 0.00cvss epss 0.01

    This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

  • CVE-2022-24444Jun 28, 2022
    risk 0.00cvss epss 0.01

    Silverstripe silverstripe/framework through 4.10 allows Session Fixation.

  • CVE-2022-1849May 24, 2022
    risk 0.00cvss epss 0.01

    Session Fixation in GitHub repository filegator/filegator prior to 7.8.0.

  • CVE-2022-24745Mar 9, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish…

  • CVE-2021-41246Dec 9, 2021
    risk 0.00cvss epss 0.01

    Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session…

  • CVE-2021-41268Nov 24, 2021
    risk 0.00cvss epss 0.01

    Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password.…

  • CVE-2021-21671Jun 30, 2021
    risk 0.00cvss epss 0.02

    Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

  • CVE-2020-10714Sep 23, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and…

  • CVE-2020-12467Apr 29, 2020
    risk 0.00cvss epss 0.01

    Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.