PT-2020-12294 · Red Hat · Wildfly Elytron

Mark Banierink

Published

2020-09-23

Updated

2022-11-08

CVE-2020-10714

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WildFly Elytron versions 1.11.3.Final and earlier

Description A flaw was found in WildFly Elytron when using FORM authentication with a session ID in the URL, allowing an attacker to perform a session fixation attack. This poses a threat to data confidentiality and integrity, as well as system availability.

Recommendations For WildFly Elytron versions 1.11.3.Final and earlier, consider disabling the use of session IDs in URLs for FORM authentication until a patch is available. Restrict access to sensitive data and implement additional security measures to minimize the risk of session fixation attacks.

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

CVE-2020-10714

GHSA-7FHR-2694-RG79

RHSA-2020:3461

RHSA-2020:3462

RHSA-2020:3463

RHSA-2020:3637

RHSA-2020:3638

RHSA-2020:3639

Affected Products

Wildfly Elytron

PT-2020-12294 · Red Hat · Wildfly Elytron

CVE-2020-10714

Weakness Enumeration

Related Identifiers

Affected Products

References · 8