CWE-384
Session Fixation
Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61
CVEs mapped to this weakness (205)
page 9 of 11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-24456 | 0.00 | — | 0.01 | Jan 24, 2023 | Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | |||
| CVE-2023-24444 | 0.00 | — | 0.01 | Jan 24, 2023 | Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login. | |||
| CVE-2023-24424 | 0.00 | — | 0.01 | Jan 24, 2023 | Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | |||
| CVE-2023-24427 | 0.00 | — | 0.01 | Jan 24, 2023 | Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. | |||
| CVE-2023-22479 | — | 0.00 | — | 0.00 | Jan 10, 2023 | KubePi is a modern Kubernetes panel. A session fixation attack allows an attacker to hijack a legitimate user session, versions 1.6.3 and below are susceptible. A patch will be released in version 1.6.4. | ||
| CVE-2022-36437 | 0.00 | — | 0.01 | Dec 29, 2022 | The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and… | |||
| CVE-2022-4231 | — | 0.00 | — | 0.00 | Nov 30, 2022 | A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. This issue affects some unknown processing of the component Remember Me Handler. The manipulation leads to session fixiation. The attack may be initiated remotely. The… | ||
| CVE-2022-43687 | — | 0.00 | — | 0.01 | Nov 14, 2022 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||
| CVE-2022-3269 | — | 0.00 | — | 0.01 | Sep 23, 2022 | Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. | ||
| CVE-2022-38054 | 0.00 | — | 0.02 | Sep 2, 2022 | In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | |||
| CVE-2022-2997 | 0.00 | — | 0.01 | Aug 25, 2022 | Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. | |||
| CVE-2022-25896 | — | 0.00 | — | 0.01 | Jul 1, 2022 | This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. | ||
| CVE-2022-24444 | — | 0.00 | — | 0.01 | Jun 28, 2022 | Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | ||
| CVE-2022-1849 | — | 0.00 | — | 0.01 | May 24, 2022 | Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. | ||
| CVE-2022-24745 | — | 0.00 | — | 0.01 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish… | ||
| CVE-2021-41246 | 0.00 | — | 0.01 | Dec 9, 2021 | Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session… | |||
| CVE-2021-41268 | 0.00 | — | 0.01 | Nov 24, 2021 | Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password.… | |||
| CVE-2021-21671 | 0.00 | — | 0.02 | Jun 30, 2021 | Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. | |||
| CVE-2020-10714 | — | 0.00 | — | 0.01 | Sep 23, 2020 | A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and… | ||
| CVE-2020-12467 | — | 0.00 | — | 0.01 | Apr 29, 2020 | Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. |
- CVE-2023-24456Jan 24, 2023risk 0.00cvss —epss 0.01
Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.
- CVE-2023-24444Jan 24, 2023risk 0.00cvss —epss 0.01
Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.
- CVE-2023-24424Jan 24, 2023risk 0.00cvss —epss 0.01
Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.
- CVE-2023-24427Jan 24, 2023risk 0.00cvss —epss 0.01
Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.
- CVE-2023-22479Jan 10, 2023risk 0.00cvss —epss 0.00
KubePi is a modern Kubernetes panel. A session fixation attack allows an attacker to hijack a legitimate user session, versions 1.6.3 and below are susceptible. A patch will be released in version 1.6.4.
- CVE-2022-36437Dec 29, 2022risk 0.00cvss —epss 0.01
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and…
- CVE-2022-4231Nov 30, 2022risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. This issue affects some unknown processing of the component Remember Me Handler. The manipulation leads to session fixiation. The attack may be initiated remotely. The…
- CVE-2022-43687Nov 14, 2022risk 0.00cvss —epss 0.01
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
- CVE-2022-3269Sep 23, 2022risk 0.00cvss —epss 0.01
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.
- CVE-2022-38054Sep 2, 2022risk 0.00cvss —epss 0.02
In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.
- CVE-2022-2997Aug 25, 2022risk 0.00cvss —epss 0.01
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.
- CVE-2022-25896Jul 1, 2022risk 0.00cvss —epss 0.01
This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.
- CVE-2022-24444Jun 28, 2022risk 0.00cvss —epss 0.01
Silverstripe silverstripe/framework through 4.10 allows Session Fixation.
- CVE-2022-1849May 24, 2022risk 0.00cvss —epss 0.01
Session Fixation in GitHub repository filegator/filegator prior to 7.8.0.
- CVE-2022-24745Mar 9, 2022risk 0.00cvss —epss 0.01
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish…
- CVE-2021-41246Dec 9, 2021risk 0.00cvss —epss 0.01
Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session…
- CVE-2021-41268Nov 24, 2021risk 0.00cvss —epss 0.01
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password.…
- CVE-2021-21671Jun 30, 2021risk 0.00cvss —epss 0.02
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
- CVE-2020-10714Sep 23, 2020risk 0.00cvss —epss 0.01
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and…
- CVE-2020-12467Apr 29, 2020risk 0.00cvss —epss 0.01
Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.