Insufficient Session Expiration

Affecting aiohttp-session package, versions [,2.7.0)

Do your applications use this vulnerable package? Test your applications

Overview

aiohttp-session provides sessions for aiohttp.web.

Affected versions of this package are vulnerable to Insufficient Session Expiration via the EncryptedCookieStorage and NaClCookieStorage functions that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.

Remediation

Upgrade aiohttp-session to version 2.7.0 or higher.

References

CVSS Score

5.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2018-1000814
CWE
CWE-613
Snyk ID
SNYK-PYTHON-AIOHTTPSESSION-72728
Disclosed
11 Oct, 2018
Published
24 Dec, 2018