com.enonic.xp:lib-auth vulnerable to Session Fixation

Impact

All id-providers using lib-auth login method. lib-auth should invalidate old session after login and replicate session attributes in a new one, however this is not the behavior in affected versions.

Workarounds

Don't use lib-auth for login. Java API uses low-level structures and allows to invalidate previous session before auth-info is added.

References

https://github.com/enonic/xp/issues/9253

Published: Oct 12, 2022
Updated: Apr 14, 2023
GHSA: GHSA-4m5p-5w5w-3jcf
Severity: Critical
Exploit:

No technical information available.

CWEs:

CWE-384

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
com.enonic.xp / lib-auth	-	7.7.4

https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
https://github.com/enonic/xp/issues/9253
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf

Vulnerability Database

290,278

com.enonic.xp:lib-auth vulnerable to Session Fixation

Impact

Workarounds

References