CVE-2024-35220

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-35220
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0.

7.4 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f
https://github.com/fastify/session/issues/251
https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg
https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f
https://github.com/fastify/session/issues/251
https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg
Configurations

No configuration.

History

21 Nov 2024, 09:19

Type Values Removed Values Added
References () https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f - () https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f -
References () https://github.com/fastify/session/issues/251 - () https://github.com/fastify/session/issues/251 -
References () https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg - () https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg -
Summary
  • (es) @fastify/session es un complemento de sesión para fastify. Requiere el complemento @fastify/cookie. Al restaurar la cookie desde el almacén de sesiones, el campo "expires" se anula si se configuró el campo "maxAge". Esto significa que una cookie nunca se detecta correctamente como caducada y, por lo tanto, las sesiones caducadas no se destruyen. Esta vulnerabilidad ha sido parcheada 10.8.0.

21 May 2024, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-21 21:15

Updated : 2024-11-21 09:19

NVD link : CVE-2024-35220

Mitre link : CVE-2024-35220

CVE.ORG link : CVE-2024-35220

JSON object : View

Products Affected

No product.

CWE
CWE-613

Insufficient Session Expiration