Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mra6-33ez-xbda
Vulnerability ID VCID-mra6-33ez-xbda
Aliases GHSA-96c6-m98x-hxjx
Summary Zend-Session session validation vulnerability `Zend\Session` session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where $this->manager is an instance of `Zend\Session\SessionManager`): ``` $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); ``` The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. An attacker is thus able to simply ignore session validators such as `RemoteAddr` or `HttpUserAgent`, since the "signature" that these validators check against is not being stored in the session.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-384 Session Fixation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 6.5 https://framework.zend.com/security/advisory/ZF2015-01
generic_textual MODERATE https://framework.zend.com/security/advisory/ZF2015-01
cvssv3.1 6.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-session/ZF2015-01.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-session/ZF2015-01.yaml
cvssv3.1 6.5 https://github.com/zendframework/zend-session
generic_textual MODERATE https://github.com/zendframework/zend-session
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/05fa95488b5ade513c4dcc56051a7ddb1c94f341
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/05fa95488b5ade513c4dcc56051a7ddb1c94f341
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/1272fc047121720130690c324413629d8f63d210
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/1272fc047121720130690c324413629d8f63d210
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/35014ab0ae17c2a169320f182697ee9fe73d841e
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/35014ab0ae17c2a169320f182697ee9fe73d841e
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/3b1a65b3193a4219f5c4259ab8735f9ad254a021
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/3b1a65b3193a4219f5c4259ab8735f9ad254a021
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/6a27a9fddd8f5b12b3af0de6309181ff5946dd0e
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/6a27a9fddd8f5b12b3af0de6309181ff5946dd0e
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/7c4b73dd64e01001946aac76c6deddfe1c6ef0be
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/7c4b73dd64e01001946aac76c6deddfe1c6ef0be
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/7fc94bd6a60342416242a3899d63072c471b33d3
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/7fc94bd6a60342416242a3899d63072c471b33d3
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/93b43aa0ca5348d29034f67195ffa3f4082878d5
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/93b43aa0ca5348d29034f67195ffa3f4082878d5
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/9868f84513536446b0bac81cc95e0130b0a6fc9c
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/9868f84513536446b0bac81cc95e0130b0a6fc9c
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/a3382bfd3067f527762294b5fc622550988e6862
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/a3382bfd3067f527762294b5fc622550988e6862
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/b1903947e285568344b3458e4524b016ce311072
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/b1903947e285568344b3458e4524b016ce311072
cvssv3.1 6.5 https://github.com/zendframework/zend-session/commit/ff9236cc4c4944b5f5a6fbfee01420ef82c4fa91
generic_textual MODERATE https://github.com/zendframework/zend-session/commit/ff9236cc4c4944b5f5a6fbfee01420ef82c4fa91
Reference id Reference type URL
https://framework.zend.com/security/advisory/ZF2015-01
https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-session/ZF2015-01.yaml
https://github.com/zendframework/zend-session
https://github.com/zendframework/zend-session/commit/05fa95488b5ade513c4dcc56051a7ddb1c94f341
https://github.com/zendframework/zend-session/commit/1272fc047121720130690c324413629d8f63d210
https://github.com/zendframework/zend-session/commit/35014ab0ae17c2a169320f182697ee9fe73d841e
https://github.com/zendframework/zend-session/commit/3b1a65b3193a4219f5c4259ab8735f9ad254a021
https://github.com/zendframework/zend-session/commit/6a27a9fddd8f5b12b3af0de6309181ff5946dd0e
https://github.com/zendframework/zend-session/commit/7c4b73dd64e01001946aac76c6deddfe1c6ef0be
https://github.com/zendframework/zend-session/commit/7fc94bd6a60342416242a3899d63072c471b33d3
https://github.com/zendframework/zend-session/commit/93b43aa0ca5348d29034f67195ffa3f4082878d5
https://github.com/zendframework/zend-session/commit/9868f84513536446b0bac81cc95e0130b0a6fc9c
https://github.com/zendframework/zend-session/commit/a3382bfd3067f527762294b5fc622550988e6862
https://github.com/zendframework/zend-session/commit/b1903947e285568344b3458e4524b016ce311072
https://github.com/zendframework/zend-session/commit/ff9236cc4c4944b5f5a6fbfee01420ef82c4fa91
GHSA-96c6-m98x-hxjx https://github.com/advisories/GHSA-96c6-m98x-hxjx
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://framework.zend.com/security/advisory/ZF2015-01
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-session/ZF2015-01.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/05fa95488b5ade513c4dcc56051a7ddb1c94f341
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/1272fc047121720130690c324413629d8f63d210
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/35014ab0ae17c2a169320f182697ee9fe73d841e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/3b1a65b3193a4219f5c4259ab8735f9ad254a021
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/6a27a9fddd8f5b12b3af0de6309181ff5946dd0e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/7c4b73dd64e01001946aac76c6deddfe1c6ef0be
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/7fc94bd6a60342416242a3899d63072c471b33d3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/93b43aa0ca5348d29034f67195ffa3f4082878d5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/9868f84513536446b0bac81cc95e0130b0a6fc9c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/a3382bfd3067f527762294b5fc622550988e6862
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/b1903947e285568344b3458e4524b016ce311072
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/zendframework/zend-session/commit/ff9236cc4c4944b5f5a6fbfee01420ef82c4fa91
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T16:21:55.497627+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/zendframework/zend-session/GHSA-96c6-m98x-hxjx.yml 38.6.0