CVE-2024-23679: 
Java vulnerability analysis and mitigation

Enonic XP versions prior to 7.7.4 are vulnerable to a session fixation issue (CVE-2024-23679). This vulnerability affects the lib-auth component, specifically impacting all id-providers using the lib-auth login method. The vulnerability was discovered and disclosed in October 2022, with patches released in version 7.7.4 (GitHub Advisory).

The vulnerability stems from a session fixation issue where the system fails to properly invalidate previous sessions during the authentication process. The issue occurs because the lib-auth login method does not properly handle session attributes during the authentication process, allowing an unauthenticated attacker to use prior sessions (NVD). The vulnerability is classified as Critical severity (GitHub Advisory).

The vulnerability affects all id-providers utilizing the lib-auth login method in Enonic XP. An unauthenticated remote attacker could potentially exploit this vulnerability to use prior sessions due to the lack of proper session attribute invalidation (NVD).

The primary mitigation is to upgrade to Enonic XP version 7.7.4 or later, which includes patches that properly handle session invalidation. As a workaround, users can avoid using lib-auth for login and instead utilize the Java API, which uses low-level structures and allows for proper invalidation of previous sessions before auth-info is added (GitHub Advisory).