Due to this reliance storage backends with inherent expiry like Redis or Memcached were not vulnerable. On backends that solely rely on cookie storage for information storage, like EncryptedCookieStorage and NaClCookieStorage, however it is possible for a malicious client to re-create a cookie with the same session data. This effectively provides infinite lifetime sessions, thus defeating the purpose of session expiry which is to minimize the attack window on the most vulnerable part of an application's authentication, that is the session transfer.
On Oct 13 2018 the vulnerability was patched with aiohttp-session#331 and aiohttp-session v2.7.0 was released.
Finally on Dec 20 2018 this vulnerability was assigned CVE-2018-1000814.
Side effects
The applied patch of #331 does have some side effects. The patch breaks an implicit behavior of the library to create 'idle sessions'. So if you are not using one of the vulnerable backends and are utilizing aiohttp-session for idle sessions your best bet is to freeze your dependencies to aiohttp-session==2.6.0 until a fix is released.Other references
VulndbNVD/NIST
No comments:
Post a Comment