Lucene search

Veracode Vulnerability DatabaseVERACODE:47669

HistoryJun 20, 2024 - 7:32 a.m.

Insecure Authentication

2024-06-2007:32:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

insecure authentication

improper session handling

arbitrary session ids

user sessions manipulation

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

JSON

magento/community-edition is vulnerable to Insecure authentication. The vulnerability is due to improper session handling that allows an unauthenticated user to append arbitrary session IDs which will not be invalidated by subsequent authentication, allowing attackers to hijack or manipulate user sessions.

References

github.com/advisories/GHSA-8mwx-wpp4-5xh4

github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8149.yaml

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

JSON

Related for VERACODE:47669