Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatcveRedhat.comRH:CVE-2021-20324
HistoryOct 28, 2021 - 9:10 p.m.

CVE-2021-20324

2021-10-2821:10:12
redhat.com
access.redhat.com
42
wildfly elytron
session fixation
undertow
data confidentiality
data integrity
session timeout
session tracking
JSON

A flaw was found in WildFly Elytron. A variation to the use of a session fixation exploit when using Undertow was found despite Undertow switching the session ID after authentication. The highest threat from this vulnerability is to data confidentiality and integrity.

Mitigation

This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes.

The server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link.

  <session-config>  
    <tracking-mode>URL</tracking-mode>  
  </session-config>

TO

  <session-config>  
    <tracking-mode>COOKIE</tracking-mode>  
  </session-config>

Related

cvelist 1
cve 1
nvd 1
ibm 1
cvelist
cvelist
CVE-2021-20324
1976-01-01 00:00:00
cve
cve
CVE-2021-20324
2022-04-18 17:15:14
nvd
nvd
CVE-2021-20324
2022-04-18 17:15:14
ibm
ibm
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.3
2024-06-18 14:01:41
JSON
Related for RH:CVE-2021-20324
cvelist1cve1nvd1ibm1