Bug 1830206 - wildfly-elytron: session fixation variation when using Undertow FORM authentication
Summary: wildfly-elytron: session fixation variation when using Undertow FORM authenti...
Keywords:
Status: NEW
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1822718 2018242
TreeView+ depends on / blocked
 
Reported: 2020-05-01 05:29 UTC by Ted Jongseok Won
Modified: 2023-07-07 08:33 UTC (History)
45 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Ted Jongseok Won 2020-05-01 05:29:50 UTC 
A flaw was found in WildFly Elytron. Session fixation exploit where WildFly Elytron is in use has identified a possible variation to make use of a session fixation exploit when using Undertow despite Undertow switching the session ID AFTER authentication.

This exploit can be demonstrated with a default installation of JBoss EAP 7.2, 7.3 or WildFly.  This would also be applicable with older EAP releases including EAP 6. However, JWS 5.3, 3.1.8(tomcat7/tomcat8), and the latest Apache Tomcat 9.0.34 are not affected.
Note You need to log in before you can comment on or make changes to this bug.