CVE-2024-35220 – @fastify/session reuses destroyed session cookie
https://notcve.org/view.php?id=CVE-2024-35220
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0. @fastify/session es un complemento de sesión para fastify. • https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f https://github.com/fastify/session/issues/251 https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg • CWE-613: Insufficient Session Expiration •
CVE-2022-1955
https://notcve.org/view.php?id=CVE-2022-1955
Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation. Session versión 1.13.0, permite a un atacante con acceso físico al dispositivo de la víctima omitir el bloqueo de contraseña/pin de la aplicación para acceder a los datos del usuario. Esto es posible debido a una falta de controles de seguridad apropiados para evitar la manipulación del código dinámico • https://fluidattacks.com/advisories/tempest https://github.com/oxen-io/session-android https://github.com/oxen-io/session-android/pull/897 • CWE-287: Improper Authentication •