SCA: security update for github.com/gofiber/fiber, github.com/gofiber/fiber/v2, github.com/gofiber/fiber/v2/middleware/session (GHSA-98j2-3j3p-fw2v)

critical Tenable Cloud Security Plugin ID 413143

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to
2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to
supply their own session_id value, resulting in the creation of a session with that key. If a website
relies on the mere presence of a session for security purposes, this can lead to significant security
risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session
middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users
are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who
are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement
additional validation to ensure session IDs are not supplied by the user and are securely generated by the
server, or regularly rotate session IDs and enforce strict session expiration policies. (CVE-2024-38513)

See Also

https://github.com/advisories/GHSA-98j2-3j3p-fw2v

Plugin Details

Severity: Critical

ID: 413143

Version: Revision 1.23

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-38513

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/1/2024

Vulnerability Publication Date: 7/1/2024

Reference Information

CVE: CVE-2024-38513

cwe: CWE-384