Session Fixation Affecting org.wildfly.security:wildfly-elytron-http-form package, versions [,1.11.4.Final)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGWILDFLYSECURITY-1768502
  • published29 Oct 2021
  • disclosed28 Oct 2021
  • creditUnknown

Introduced: 28 Oct 2021

CVE-2021-20324  (opens in a new tab)
CWE-384  (opens in a new tab)

How to fix?

Upgrade org.wildfly.security:wildfly-elytron-http-form to version 1.11.4.Final or higher.

Overview

org.wildfly.security:wildfly-elytron-http-form is a WildFly Security HTTP Basic Mechanism Implementation

Affected versions of this package are vulnerable to Session Fixation. A variation to the use of a session fixation exploit when using Undertow was found despite Undertow switching the session ID after authentication. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS Scores

version 3.1