Security Advisory WSO2-2017-0261¶
Published: September 04, 2017
Severity: High
CVSS Score: 7.3 (CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
AFFECTED PRODUCTS¶
- WSO2 Governance Registry 5.4.0
OVERVIEW¶
A potential Session Fixation vulnerability has been identified in the Publisher and Store applications.
DESCRIPTION¶
The Store and Publisher applications do not renew the session ID upon user login, resulting in a potential Session Fixation vulnerability.
An attacker could potentially exploit this vulnerability by fixing a session ID or gaining access to an unauthenticated initial session ID and later using the same ID after the user authentication is completed.
IMPACT¶
An attacker could gain the same access level as the victim and perform activities by impersonating the victim.
SOLUTION¶
Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.
Download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from Security Patch Releases.
Code | Product | Version | Patch |
---|---|---|---|
GREG WSO2 Governance Registry | 5.4.0 | WSO2-CARBON-PATCH-4.4.0-1221 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.