Vulnerability Details CVE-2023-29019
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using `@fastify/passport` in affected versions for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the `@fastify/passport` library for user authentication. The login and user validation are performed by the `authenticate` function. When executing this function, the `sessionId` is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid `sessionId` cookie in the victim's browser and waiting for the victim to log in on the website. As a solution, newer versions of `@fastify/passport` regenerate `sessionId` upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 40.7%
CVSS Severity
CVSS v3 Score 8.1
References
- https://github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11
- https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9
- https://owasp.org/www-community/attacks/Session_fixation
- https://github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11
- https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9
- https://owasp.org/www-community/attacks/Session_fixation
Products affected by CVE-2023-29019
-
cpe:2.3:a:fastify:passport:-
-
cpe:2.3:a:fastify:passport:1.0.0
-
cpe:2.3:a:fastify:passport:1.0.1
-
cpe:2.3:a:fastify:passport:2.0.0
-
cpe:2.3:a:fastify:passport:2.0.1
-
cpe:2.3:a:fastify:passport:2.1.0
-
cpe:2.3:a:fastify:passport:2.2.0