Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-384 (会话固定) — Vulnerability Class 145

145 vulnerabilities classified as CWE-384 (会话固定). AI Chinese analysis included.

CWE-384, Session Fixation, is an authentication weakness where an application fails to invalidate existing session identifiers upon user login. This flaw allows attackers to predict or fix a victim’s session ID before authentication occurs. Typically, an attacker tricks a user into accessing a malicious link containing the attacker’s known session ID. When the victim logs in, the server associates the authenticated session with that pre-existing ID, granting the attacker immediate access to the victim’s account without needing credentials. To prevent this, developers must generate a new, random session identifier immediately after successful authentication. Additionally, implementing secure session management practices, such as regenerating IDs after privilege changes and using secure, HTTP-only cookies, ensures that stolen session tokens remain useless to attackers, effectively mitigating the risk of session hijacking.

MITRE CWE Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Such a scenario is commonly observed when: A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and DesignInvalidate any existing session identifiers prior to authorizing a new user session.
Architecture and DesignFor platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
OperationUse an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Effectiveness: Moderate
Examples (2)
The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().
private void auth(LoginContext lc, HttpSession session) throws LoginException { ... lc.login(); ... }
Bad · Java
The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the <code>j_security_check</code>, which typically does not invalidate the existing session before processing the login request.
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="text" name="j_password"> </form>
Bad · HTML
CVE IDTitleCVSSSeverityPublished
CVE-2024-24552 Bludit is Vulnerable to Session Fixation — Bludit 8.8AIHighAI2024-06-24
CVE-2024-25977 Session Fixation — HAWKI 8.3AIHighAI2024-05-29
CVE-2023-38002 IBM Storage Scale session fixation — Storage Scale 5.0 Medium2024-04-30
CVE-2024-2260 Session Fixation Vulnerability in zenml-io/zenml — zenml-io/zenml 8.8 -2024-04-16
CVE-2024-31221 Clients removed during unpairing process may regain access if Sunshine was not restarted — Sunshine 5.9 Medium2024-04-08
CVE-2024-2639 Bdtask Wholesale Inventory Management System session fixiation — Wholesale Inventory Management System 4.3 Medium2024-03-19
CVE-2024-22250 Session Hijack Vulnerability in Deprecated EAP Browser Plugin — VMware Enhanced Authentication Plug-in (EAP) 7.8 High2024-02-20
CVE-2023-47798 Liferay Portal和Liferay DXP 安全漏洞 — Portal 5.4 Medium2024-02-08
CVE-2024-24823 graylog2-server Session Fixation vulnerability through cookie injection — graylog2-server 5.7 Medium2024-02-07
CVE-2023-50941 IBM PowerSC session fixation — PowerSC 6.3 Medium2024-02-02
CVE-2024-23679 Enonic XP Session Fixation Vulnerability 9.8 -2024-01-19
CVE-2024-0351 SourceCodester Engineers Online Portal session fixiation — Engineers Online Portal 3.1 Low2024-01-09
CVE-2023-6913 Session Hijacking on Imou Life app — Imou Life app 8.1 High2023-12-19
CVE-2023-49804 Uptime Kuma Password Change Vulnerability — uptime-kuma 6.7 Medium2023-12-11
CVE-2023-46733 Symfony possible session fixation vulnerability — symfony 6.5 Medium2023-11-10
CVE-2023-5309 Broken Session Management in Puppet Enterprise — Puppet Enterprise 6.8 Medium2023-11-07
CVE-2023-0897 Session FIxation in Sielco PolyEco1000 — PolyEco1000 8.8 High2023-10-26
CVE-2023-45687 Authentication bypass via session fixation in Titan MFT and Titan SFTP servers — Titan MFT 8.1 -2023-10-16
CVE-2023-44400 Uptime Kuma has Persistentent User Sessions — uptime-kuma 6.7 Medium2023-10-09
CVE-2022-3916 Keycloak: session takeover with oidc offline refreshtokens — Red Hat Single Sign-On 7 6.8 Medium2023-09-20
CVE-2023-3711 Potential Predictable Session ID — PM23/43 6.4 Medium2023-09-12
CVE-2023-4649 Session Fixation in instantsoft/icms2 — instantsoft/icms2 7.6 -2023-08-31
CVE-2023-40273 Session fixation in Apache Airflow web interface — Apache Airflow 8.8 -2023-08-23
CVE-2023-24477 Session Fixation in Guardian/CMC before 22.6.2 — Guardian 7.0 High2023-08-09
CVE-2023-3394 Session Fixation in fossbilling/fossbilling — fossbilling/fossbilling 7.6 -2023-06-23
CVE-2023-3192 Session Fixation in froxlor/froxlor — froxlor/froxlor 7.6 -2023-06-11
CVE-2023-28316 Rocket.Chat 授权问题漏洞 — Rocket.Chat 9.8 -2023-05-09
CVE-2023-29020 Cross site request forgery token fixation in fastify-passport — fastify-passport 6.5 Medium2023-04-21
CVE-2023-29019 Session fixation in fastify-passport — fastify-passport 8.1 High2023-04-21
CVE-2023-2105 Session Fixation in alextselegidis/easyappointments — alextselegidis/easyappointments 8.1 -2023-04-15

Vulnerabilities classified as CWE-384 (会话固定) represent 145 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.