CVE Vulnerabilities

CVE-2018-19443

Session Fixation

Published: Nov 22, 2018 | Modified: Dec 20, 2018
CVSS 3.x
5.9
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name Vendor Start Version End Version
Tryton Tryton 5.0.0 (including) 5.0.0 (including)
Tryton-client Ubuntu bionic *
Tryton-client Ubuntu cosmic *
Tryton-client Ubuntu disco *
Tryton-client Ubuntu eoan *
Tryton-client Ubuntu groovy *
Tryton-client Ubuntu hirsute *
Tryton-client Ubuntu impish *
Tryton-client Ubuntu kinetic *
Tryton-client Ubuntu lunar *
Tryton-client Ubuntu mantic *
Tryton-client Ubuntu trusty *
Tryton-client Ubuntu xenial *

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

References