6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-96c6-m98x-hxjx

EPSS Score

CWE

CWE-384

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-96c6-m98x-hxjx

GHSA-96c6-m98x-hxjx: Zend-Session session validation vulnerability

Zend\Session session validators do not work as expected if set prior to the start of a session.

For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):

$this
    ->manager
    ->getValidatorChain()
    ->attach('session.validate', array(new RemoteAddr(), 'isValid'));

$this->manager->start();

$this->assertSame(
    array(
        'Zend\Session\Validator\RemoteAddr' =3D> '',
    ),
    $_SESSION['__ZF']['_VALID']
);

The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.

An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the "signature" that these validators check against is not being stored in the session.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-96c6-m98x-hxjx

EPSS Score

CWE

CWE-384

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zend-session	composer	>= 2.0.0, < 2.2.9	2.2.9
zendframework/zend-session	composer	>= 2.3.0, < 2.3.4	2.3.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper session data handling in SessionManager::start(). The patch adds $_SESSION backup/merge logic to preserve validator metadata stored in $_SESSION['__ZF']['_VALID']. Without this merge, validators attached before session start would have their reference signatures erased during session initialization, making subsequent validation checks ineffective. The commit diff clearly shows the vulnerable code flow lacked this critical data preservation step prior to the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`Z*n*\S*ssion` s*ssion v*li**tors *o not work *s *xp**t** i* s*t prior to t** st*rt o* * s*ssion. *or inst*n**, t** *ollowin* t*st **s* **ils (w**r* $t*is->m*n***r is *n inst*n** o* `Z*n*\S*ssion\S*ssionM*n***r`): ``` $t*is ->m*n***r ->**tV*

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*ssion **t* **n*lin* in S*ssionM*n***r::st*rt(). T** p*t** ***s $_S*SSION ***kup/m*r** lo*i* to pr*s*rv* v*li**tor m*t***t* stor** in $_S*SSION['__Z*']['_V*LI*']. Wit*out t*is m*r**, v*li**tors *tt***** ***or* s

6.5

Basic Information

Concerned about an active attack path?

GHSA-96c6-m98x-hxjx: Zend-Session session validation vulnerability

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI