CVE-2024-56733: Password Pusher Allows Session Token Interception Leading to Potential Hijacking

December 30, 2024 (updated December 31, 2024)

A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking.

Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user’s session until the token expires or is manually cleared.

This vulnerability hinges on the attacker’s ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim’s device.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-56733 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →