CVE-2018-1000519 (Medium) detected in aiohttp_session-0.8.0-py3-none-any.whl

[mend-bolt-for-github]

CVE-2018-1000519 - Medium Severity Vulnerability

Vulnerable Library - aiohttp_session-0.8.0-py3-none-any.whl

sessions for aiohttp.web

Library home page: https://files.pythonhosted.org/packages/9c/bb/e54fcbd084baa42b26afb65f499aa7b623c2803b75b835d19891b0431e39/aiohttp_session-0.8.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ aiohttp_session-0.8.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: de0527a205916cc732db2ba00a783f5d1bb0ec0d

Vulnerability Details

aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).

Publish Date: 2018-06-26

URL: CVE-2018-1000519

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: aio-libs/aiohttp-session#272

Release Date: 2018-06-26

Fix Resolution: 2.4.0

---

Step up your Open Source Security Game with WhiteSource here