You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).
mend-bolt-for-githubbot
changed the title
CVE-2018-1000519 (Medium) detected in aiohttp-session-0.8.0.tar.gz
CVE-2018-1000519 (Medium) detected in aiohttp_session-0.8.0-py3-none-any.whl
Feb 18, 2022
CVE-2018-1000519 - Medium Severity Vulnerability
Vulnerable Library - aiohttp_session-0.8.0-py3-none-any.whl
sessions for aiohttp.web
Library home page: https://files.pythonhosted.org/packages/9c/bb/e54fcbd084baa42b26afb65f499aa7b623c2803b75b835d19891b0431e39/aiohttp_session-0.8.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: de0527a205916cc732db2ba00a783f5d1bb0ec0d
Vulnerability Details
aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).
Publish Date: 2018-06-26
URL: CVE-2018-1000519
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: aio-libs/aiohttp-session#272
Release Date: 2018-06-26
Fix Resolution: 2.4.0
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: