Bug: https://ossindex.sonatype.org/vulnerability/sonatype-2016-0026

[bdemers]

Vulnerability URL Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/sonatype-2016-0026

Component URL Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:maven/org.apache.shiro/shiro-web

Description Incorrect CWE / CVSS Score

The reported issue is not related to a user's session, it's a remember me cookie, to remember the user's identity: From: https://shiro.apache.org/java-authentication-guide.html#JavaAuthenticationGuide-RememberedvsAuthenticated

When a user is only remembered, the remembered identity gives the system an idea who that user probably is, but in reality, has no way of absolutely guaranteeing if the remembered Subject represents the user currently using the application.

[ken-duck]

Sorry for the delay. We are still working on developing processes to handle issues, and I have been away for a while (catching up now)!

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[bmarwell]

Hi @ken-duck, any update on this?

[ken-duck]

Sorry for the very long delay. As you might have sussed out, there has been significant churn in our processes and teams. At the same time we migrated completely from our old OSS Index database to a new database that has significantly more researchers and a much larger repository of vulnerabilities. Hopefully this means you will see fewer problems.

In addition, if future issues are reported at ossindex@sonatype.org you should see faster response, as that email is being monitored by a team now.

Meanwhile, our researchers reported this on your issue:

The original SHIRO issue links to a post that mentions two different security problems:

The first one is covered in sonatype-2016-0026 (SR-5371) and it refers to the fact that the age of the "Remember me" cookie is not verified server-side. This cookie can be enough to authorize a user, effectively working as a valid session token, if the action that they are trying to perform has not been marked as "@RequiresAuthentication". For this reason, we consider CWE-613: Insufficient Session Expiration to be appropriate for this issue. However, considering the fact that an attacker would first need to gain access to a user's "Remember me" cookie and there is no clear means to achieve this, we have modified the CVSS Score with AC:H. Furthermore, we have updated the Detection section to account for the conditions that are required for this vulnerability to be exploited successfully.

The second issue will be covered in sonatype-2022-5344 (SR-82550) and it refers to the fact that, by default, the "Remember me" cookie is generated by encoding the account's username using a cipher key that is hardcoded in the source code, enabling an attacker with access to said username to perform sensitive actions, provided those actions have not been marked as "@RequiresAuthentication"