CWE-384

Data: 2025-10-06

Severity: Medium

CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Riferimenti:

• https://cwe.mitre.org/data/definitions/384.html

Componenti: govwayConsole e govwayMonitor

Descrizione

[Session Fixation]

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Such a scenario is commonly observed when:

• A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.

• An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.

• The application or container uses predictable session identifiers.

In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user’s account through the active session.

GovWay

Versione affette:

• 3.3.x: <= 3.3.17

• 3.4.x: <= 3.4.0

Risoluzione:

• 3.3.x: 3.3.18

• 3.4.x: 3.4.1