CVE-2020-10714

CWE-3846 documents6 sources

Severity

7.5HIGH

EPSS

0.4%

top 41.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Wildfly Elytron Redhat Codeready Studio Redhat Descision Manager +2 more

Timeline

PublishedSep 23

Latest updateFeb 15

Description

A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages7 packages

▶NVDredhat/wildfly_elytron< 1.11.3

▶Mavenorg.wildfly.security:wildfly-elytron< 1.11.4

▶CVEListV5wildfly-elytronwildfly-elytron 1.10.7.Final

▶NVDredhat/jboss_fuse7.0.0

▶NVDredhat/codeready_studio12.0

🔴Vulnerability Details

OSV

Session Fixation in WildFly Elytron↗2022-02-15

▶

GHSA

Session Fixation in WildFly Elytron↗2022-02-15

▶

CVEList

CVE-2020-10714: A flaw was found in WildFly Elytron version 1↗2020-09-23

▶

📋Vendor Advisories

Red Hat

wildfly-elytron: session fixation when using FORM authentication↗2020-04-28

▶

💬Community

Bugzilla

CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication↗2020-04-20

▶