Advisories for Maven/Com.enonic.xp/Lib-Auth package

2024
2022

com.enonic.xp:lib-auth vulnerable to Session Fixation

Impact All id-providers using lib-auth login method. lib-auth should invalidate old session after login and replicate session attributes in a new one, however this is not the behavior in affected versions. Workarounds Don't use lib-auth for login. Java API uses low-level structures and allows to invalidate previous session before auth-info is added. References https://github.com/enonic/xp/issues/9253