What is the severity of CVE-2020-10714?

CVE-2020-10714 has a high severity rating due to the potential for session fixation attacks affecting data confidentiality and integrity.

How do I fix CVE-2020-10714?

To fix CVE-2020-10714, upgrade to a fixed version of WildFly Elytron at or above 1.11.3.Final.

Which versions of WildFly Elytron are affected by CVE-2020-10714?

CVE-2020-10714 affects WildFly Elytron version 1.11.3.Final and earlier.

What is a session fixation attack in the context of CVE-2020-10714?

A session fixation attack allows an attacker to hijack a user's session by exploiting the session ID provided in the URL.

What platforms are affected by CVE-2020-10714?

CVE-2020-10714 affects various Red Hat JBoss EAP packages, especially versions dependent on the vulnerable WildFly Elytron implementation.

Vulnerability/
CVE-2020-10714

high

7.5

CWE

384

20/4/2020

28/4/2020

8/11/2022

CVE-2020-10714

First published: Mon Apr 20 2020(Updated: )

A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Credit: secalert@redhat.com

Remedy

This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes. The server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link. ~~~ <session-config> <tracking-mode>URL</tracking-mode> </session-config> ~~~ TO ~~~ <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config> ~~~

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the severity of CVE-2020-10714?
CVE-2020-10714 has a high severity rating due to the potential for session fixation attacks affecting data confidentiality and integrity.
How do I fix CVE-2020-10714?
To fix CVE-2020-10714, upgrade to a fixed version of WildFly Elytron at or above 1.11.3.Final.
Which versions of WildFly Elytron are affected by CVE-2020-10714?
CVE-2020-10714 affects WildFly Elytron version 1.11.3.Final and earlier.
What is a session fixation attack in the context of CVE-2020-10714?
A session fixation attack allows an attacker to hijack a user's session by exploiting the session ID provided in the URL.
What platforms are affected by CVE-2020-10714?
CVE-2020-10714 affects various Red Hat JBoss EAP packages, especially versions dependent on the vulnerable WildFly Elytron implementation.

collector/redhat-cve
agent/type
agent/last-modified-date
agent/first-publish-date
agent/author
agent/severity
agent/references
agent/remedy
agent/weakness
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2020-10714
agent/software-canonical-lookup
agent/event
agent/trending
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/redhat
vendor/redhat
canonical/red hat wildfly elytron
canonical/red hat codeready studio
version/red hat codeready studio/12.0
canonical/red hat decision manager
version/red hat decision manager/7.0
canonical/red hat jboss fuse
version/red hat jboss fuse/7.0.0
canonical/red hat process automation manager
version/red hat process automation manager/7.0
vendor/netapp
canonical/netapp oncommand insight