Vulnerabilities > CVE-2019-8149 - Insufficient Session Expiration vulnerability in Magento

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

magento

CWE-613

critical

NVD

Published: 2019-11-06

Updated: 2020-08-24

Summary

Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.

Vulnerable Configurations

Part	Description	Count
Application	Magento Magento Magento 2.3.0 Magento Magento 2.3.1 Magento Magento 2.3.2 Magento Magento 2.2.0 Magento Magento 2.2.1 Magento Magento 2.2.2 Magento Magento 2.2.3 Magento Magento 2.2.4 Magento Magento 2.2.5 Magento Magento 2.2.6 Magento Magento 2.2.7 Magento Magento 2.2.8 Magento Magento 2.2.9	29

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

References

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update