GHSA-62f6-h68r-3jpw

Suggest an improvement
Source
https://github.com/advisories/GHSA-62f6-h68r-3jpw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-62f6-h68r-3jpw/GHSA-62f6-h68r-3jpw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-62f6-h68r-3jpw
Published
2024-06-07T20:20:21Z
Modified
2024-12-04T05:29:28.366753Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Zendframework session validation vulnerability
Details

Zend\Session session validators do not work as expected if set prior to the start of a session.

For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):

$this
    ->manager
    ->getValidatorChain()
    ->attach('session.validate', array(new RemoteAddr(), 'isValid'));

$this->manager->start();

$this->assertSame(
    array(
        'Zend\Session\Validator\RemoteAddr' =3D> '',
    ),
    $_SESSION['__ZF']['_VALID']
);

The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.

An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the "signature" that these validators check against is not being stored in the session.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-384"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T20:20:21Z"
}
References

Affected packages

Packagist / zendframework/zendframework

Package

Name
zendframework/zendframework
Purl
pkg:composer/zendframework/zendframework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.2.9

Affected versions

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0rc1
2.2.0rc2
2.2.0rc3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8

Packagist / zendframework/zendframework

Package

Name
zendframework/zendframework
Purl
pkg:composer/zendframework/zendframework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.4

Affected versions

2.*

2.3.0
2.3.1
2.3.2
2.3.3