com.enonic.xp:lib-auth vulnerable to Session Fixation · CVE-2024-23679 · GitHub Advisory Database · GitHub

com.enonic.xp:lib-auth vulnerable to Session Fixation

Critical severity GitHub Reviewed Published Oct 12, 2022 in enonic/xp • Updated Jan 22, 2026

Package

com.enonic.xp:lib-auth (Maven)

Affected versions

< 7.7.4

Patched versions

7.7.4

Description

Impact

All id-providers using lib-auth login method.

Patches

enonic/xp@0189975
enonic/xp@2abac31
enonic/xp@1f44674

Workarounds

Don't use lib-auth for login.
Java API uses low-level structures and allows to invalidate previous session before auth-info is added.

References

References

rymsha published to enonic/xp

Oct 12, 2022

Published to the GitHub Advisory Database Oct 12, 2022

Reviewed Oct 12, 2022

Last updated Jan 22, 2026

Severity

Critical

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H