CVE-2018-1000814: Insufficient Session Expiration
(updated )
EncryptedCookieStorage
and NaClCookieStorage
both lack proper session expiration. A user that has obtained a legitimate session can do a replay attack recreating their cookie (with the same value as the original) thus defeating the purpose of cookie expiry.
References
Detect and mitigate CVE-2018-1000814 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →