9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
46.5%
All id-providers using lib-auth login
method.
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
Don’t use lib-auth for login
.
Java API uses low-level structures and allows to invalidate previous session before auth-info is added.
github.com/enonic/xp
github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
github.com/enonic/xp/issues/9253
github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
46.5%