CVE-2019-8149: Magento Broken authentication and session managememt

May 24, 2022 (updated May 15, 2024)

Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.

References

github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8149.yaml
github.com/advisories/GHSA-8mwx-wpp4-5xh4
github.com/magento/magento2
magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
nvd.nist.gov/vuln/detail/CVE-2019-8149

Code Behaviors & Features

Detect and mitigate CVE-2019-8149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →