aiohttp-session Session Fixation vulnerability · CVE-2018-1000519 · GitHub Advisory Database · GitHub

aiohttp-session Session Fixation vulnerability

Moderate severity GitHub Reviewed Published Sep 13, 2018 to the GitHub Advisory Database • Updated Aug 17, 2023

Package

aiohttp-session (pip)

Affected versions

< 2.4.0

Patched versions

2.4.0

Description

The pypi package aiohttp-session before 2.4.0 contained a Session Fixation vulnerability in load_session function for RedisStorage that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).

References

Published to the GitHub Advisory Database Sep 13, 2018

Reviewed Jun 16, 2020

Last updated Aug 17, 2023

Severity

Moderate

6.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N