aio-libs/aiohttp-session

aio-libs/aiohttp-session

aiohttp-session.readthedocs.io

Releases34

Frequency3 months 1 week

Last Release over 1 year ago

Stars246

Web sessions for aiohttp.web

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2018-1000814 ↗	Dec 20, 2018Thursday, 20 December 2018, 15:29	6.5 MEDIUM	4 MEDIUM
aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.
CVE-2018-1000519 ↗	Jun 26, 2018Tuesday, 26 June 2018, 16:29	6.5 MEDIUM	4.3 MEDIUM
aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).