CVE-2024-23679 - OpenCVE

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Enonic	Xp

Configuration 1 [-]

OR	cpe:2.3:a:enonic:xp::::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta1::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta2::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta3::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc1::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc2::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc3::::::

No data.

References

Link	Providers
https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
https://github.com/enonic/xp/issues/9253
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2024-01-19T20:23:03.781Z

Updated: 2024-08-01T23:06:25.362Z

Reserved: 2024-01-19T17:35:09.984Z

Link: CVE-2024-23679

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-19T21:15:10.073

Modified: 2024-01-26T19:12:45.117

Link: CVE-2024-23679

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23679", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2024-01-19T17:35:09.984Z", "datePublished": "2024-01-19T20:23:03.781Z", "dateUpdated": "2024-08-01T23:06:25.362Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "com.enonic.xp:lib-auth", "versions": [{"lessThan": "7.7.4", "status": "affected", "version": "0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.</p>"}], "value": "Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.\n\n"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2024-01-19T20:23:03.781Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"}, {"tags": ["issue-tracking"], "url": "https://github.com/enonic/xp/issues/9253"}, {"tags": ["related"], "url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"}, {"tags": ["related"], "url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"}, {"tags": ["related"], "url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"}, {"tags": ["third-party-advisory"], "url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"}], "source": {"discovery": "INTERNAL"}, "title": "Enonic XP Session Fixation Vulnerability"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.362Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://github.com/enonic/xp/issues/9253"}, {"tags": ["related", "x_transferred"], "url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"}, {"tags": ["related", "x_transferred"], "url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"}, {"tags": ["related", "x_transferred"], "url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enonic:xp:*:*:*:*:*:*:*:*", "matchCriteriaId": "3FC6521F-C0B8-4FE8-BE06-FAB57CFFE61A", "versionEndExcluding": "7.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "0231ECC2-744B-4441-942B-514C943F7294", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "DD92F3AC-0C60-4588-B5DE-3488F7B38C18", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "7B807EF9-DADE-4C67-8AAF-E29C70D8D32F", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "0BB4FF1C-13D7-4385-A4EB-27750E88AE3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "890C984E-B1AD-4213-B355-DB26E6B1BE8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "E156CC35-DC76-463E-8882-86C36814976E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.\n\n"}, {"lang": "es", "value": "Las versiones de Enonic XP inferiores a 7.7.4 son vulnerables a un problema de reparaci\u00f3n de sesi\u00f3n. Un atacante remoto y no autenticado puede utilizar sesiones anteriores debido a la falta de atributos de sesi\u00f3n invalidantes."}], "id": "CVE-2024-23679", "lastModified": "2024-01-26T19:12:45.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-19T21:15:10.073", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"}, {"source": "disclosure@vulncheck.com", "tags": ["Issue Tracking"], "url": "https://github.com/enonic/xp/issues/9253"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-384"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}