VulnerableCode Package Details - pkg:composer/zendframework/zend-session@2.2.9

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2g8z-51nu-17hs	Session Fixation Session validation vulnerability.	ZF2015-01
VCID-mra6-33ez-xbda	Zend-Session session validation vulnerability `Zend\Session` session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where $this->manager is an instance of `Zend\Session\SessionManager`): ``` $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); ``` The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. An attacker is thus able to simply ignore session validators such as `RemoteAddr` or `HttpUserAgent`, since the "signature" that these validators check against is not being stored in the session.	GHSA-96c6-m98x-hxjx

Vulnerability

Summary

Aliases

VCID-2g8z-51nu-17hs

Session Fixation Session validation vulnerability.

ZF2015-01

VCID-mra6-33ez-xbda

Zend-Session session validation vulnerability `Zend\Session` session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where $this->manager is an instance of `Zend\Session\SessionManager`): ``` $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); ``` The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. An attacker is thus able to simply ignore session validators such as `RemoteAddr` or `HttpUserAgent`, since the "signature" that these validators check against is not being stored in the session.

GHSA-96c6-m98x-hxjx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T16:50:41.950057+00:00	GithubOSV Importer	Fixing	VCID-mra6-33ez-xbda	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-96c6-m98x-hxjx/GHSA-96c6-m98x-hxjx.json	38.6.0
2026-06-04T16:21:55.530040+00:00	GitLab Importer	Fixing	VCID-mra6-33ez-xbda	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zend-session/GHSA-96c6-m98x-hxjx.yml	38.6.0
2026-06-02T04:36:20.678605+00:00	GitLab Importer	Fixing	VCID-2g8z-51nu-17hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zend-session/ZF2015-01.yml	38.6.0