PT-2020-3629 · Davical · Davical Andrew'S Web Libraries

Andrew Bartlett

Published

2020-04-15

Updated

2020-08-18

CVE-2020-11729

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions DAViCal Andrew's Web Libraries (AWL) versions through 0.60

Description An issue in DAViCal Andrew's Web Libraries (AWL) allows for a brute-force attack due to insecure generation of long-term session cookies, which are used for long-term session continuity. This could enable a remote attacker to access confidential data, compromise data integrity, and cause a denial of service.

Recommendations For versions through 0.60, as a temporary workaround, consider implementing additional security measures to protect against brute-force attacks on long-term session cookies until a secure method of generating these cookies is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

BDU:2020-03976

CVE-2020-11729

DLA-2178-1

DSA-4660-1

Affected Products

Davical Andrew'S Web Libraries

PT-2020-3629 · Davical · Davical Andrew'S Web Libraries

CVE-2020-11729

Weakness Enumeration

Related Identifiers

Affected Products

References · 16