In March 2022 the Gibbon team were alerted to a security vulnerability in the Gibbon Core. We have worked to identify and verify the fix and create a patch release of Gibbon, v23.0.02.
Impact
This advisory pertains to a session fixation vulnerability identified in the Gibbon Core for all versions of Gibbon prior to v23.0.02.
- Vulnerability Type. Session Fixation CWE-384 (Moderate Severity)
- Affected Versions: All versions prior to Gibbon v23.0.02
- Risk Assessment. To the best of our knowledge the vulnerability has not been exploited. However, we feel it is important enough for system administrators to update sooner rather than waiting for the next version of Gibbon.
Risk Mitigation
This vulnerability has been fixed in the v23.0.02 release Ga Yau (Security Update). System administrators can secure their system by updating to this latest version of Gibbon following the update instructions.
Installations running the cutting edge code should be sure to update to the latest commit of v24.0.00.
Patches
Installations running a version of Gibbon prior to v23 are recommended to update their system. If an update is not possible, we have prepared patches for the following versions, which can be applied by replacing the login.php file in the Gibbon root directory.
Acknowledgement
We would like to thank Kole Swesey, the security researcher who brought this vulnerability to our attention. We have collaborated with them to verify the fix and follow responsible disclosure practices.
References
Information about our security policy can be found on our GitHub repository, including our commitment to following best practices for software security releases and disclosure.
For more information
If you have any questions or comments about this advisory:
In March 2022 the Gibbon team were alerted to a security vulnerability in the Gibbon Core. We have worked to identify and verify the fix and create a patch release of Gibbon, v23.0.02.
Impact
This advisory pertains to a session fixation vulnerability identified in the Gibbon Core for all versions of Gibbon prior to v23.0.02.
Risk Mitigation
This vulnerability has been fixed in the v23.0.02 release Ga Yau (Security Update). System administrators can secure their system by updating to this latest version of Gibbon following the update instructions.
Installations running the cutting edge code should be sure to update to the latest commit of v24.0.00.
Patches
Installations running a version of Gibbon prior to v23 are recommended to update their system. If an update is not possible, we have prepared patches for the following versions, which can be applied by replacing the login.php file in the Gibbon root directory.
Acknowledgement
We would like to thank Kole Swesey, the security researcher who brought this vulnerability to our attention. We have collaborated with them to verify the fix and follow responsible disclosure practices.
References
Information about our security policy can be found on our GitHub repository, including our commitment to following best practices for software security releases and disclosure.
For more information
If you have any questions or comments about this advisory: