PYSEC-2018-35

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/aiohttp-session/PYSEC-2018-35.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2018-35

Aliases

Published

2018-12-20T15:29:00Z

Modified

2023-11-01T04:48:39.275057Z

Summary

[none]

Details

aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.

References

Affected packages

PyPI / aiohttp-session

Package

Name: aiohttp-session; View open source insights on deps.dev
Purl: pkg:pypi/aiohttp-session

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.0

Affected versions

0.*

0.0.1

0.1.0

0.1.1

0.1.2

0.2.0

0.3.0

0.4.0

0.5.0

0.7.0

0.7.1

0.8.0

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.2.1

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.3.0

2.4.0

2.5.1

2.6.0