Skip to content

aiohttp-session creates non-expiring sessions

Moderate severity GitHub Reviewed Published Dec 20, 2018 to the GitHub Advisory Database • Updated Aug 30, 2024

Package

pip aiohttp-session (pip)

Affected versions

<= 2.6.0

Patched versions

2.7.0

Description

aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.

References

Published to the GitHub Advisory Database Dec 20, 2018
Reviewed Jun 16, 2020
Last updated Aug 30, 2024

Severity

Moderate

EPSS score

0.064%
(29th percentile)

Weaknesses

CVE ID

CVE-2018-1000814

GHSA ID

GHSA-mr4x-c4v9-x729

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.