During a security Audit on AWI a penetration test discovered the following vulnerability:
The session cookie JSESSIONID does not have the SameSite attribute set.
The SameSite flag can help mitigate CSRF and Clickjacking attacks.
If this flag is not set, the application cannot benefit from this protection mechanism.
Release : 12.3.x
Component : Automic Web Interface (AWI)
Here is the relevant excerpt from the report:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
HTTP Response where session cookies without the SameSite flag:
HTTP/1.1 200 OK
Date: Tue, 10 Aug 2021 08:04:13 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=25493E320E83EDA411325EAB163BB65D; Path=/; Secure; HttpOnly
Set-Cookie: __VCAP_ID__=05bbc7d2-c7b7-447c-7bfd-44e3; Path=/; HttpOnly; Secure
For critical applications, SameSite=Strict should be used. For all other applications, SameSite=Lax is recommended.
This issue was solved during 21.0.0 security improvements.
The solution is available since version 21.0.0 of the AWI.
This issue was solved during the 21.0.0 security improvements.
There is no CVE number.