Vulnerabilities > CVE-2018-1000814 - Insufficient Session Expiration vulnerability in Aiohttp-Session Project Aiohttp-Session

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
aiohttp-session-project
CWE-613
NVD
Published: 2018-12-20
Updated: 2019-09-19

Summary

aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.

Vulnerable Configurations

Part Description Count
Application
Aiohttp-Session_Project
24

Common Weakness Enumeration (CWE)

References