LiveActive security incident?Get immediate response
CVE Record

CVE-2022-27305: Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vul...

Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-27305 describes a session management flaw in Gibbon v23. After login, the application does not create a fresh session ID cookie. If an attacker can cause a user to authenticate with a known session, that session could potentially be abused.

Executive priority

Treat as a targeted account-access risk for Gibbon v23 environments, not a confirmed mass-exploitation emergency based on provided evidence. Prioritize assessment where Gibbon handles student, staff, or administrative accounts.

Technical view

The issue is session fixation: Gibbon v23 keeps the same session identifier after authentication instead of rotating it. The provided sources do not include CVSS, CWE, detailed affected version ranges beyond v23, or confirmed remediation details.

Likely exposure

Exposure appears limited to organizations running Gibbon v23. The provided source bundle does not identify affected CPEs, other versions, hosted services, or deployment-specific prerequisites.

Exploitation context

The CVE is not listed as CISA KEV in the provided bundle, and no cited source states active exploitation. Practical risk depends on whether attackers can set or predict a user session before authentication.

Researcher notes

Evidence is sparse. The bundle provides the core vulnerability statement and advisory link, but no CVSS vector, CWE mapping, exploit status, fixed version, or workaround details. Avoid broad claims until vendor guidance is reviewed.

Mitigation direction

  • Check the Gibbon advisory and release notes for official remediation guidance.
  • Inventory Gibbon deployments and confirm whether version 23 is present.
  • Prioritize fixes for internet-facing or shared-device school portals.
  • Review session-management configuration and authentication controls.
  • Monitor vendor channels for patch or workaround updates.

Validation and detection

  • Identify all Gibbon instances and record exact versions.
  • Review login behavior using an approved test account.
  • Confirm the session ID changes after successful authentication.
  • Check whether compensating controls limit session fixation risk.
  • Document findings against the GitHub advisory and CVE record.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-27305 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
2Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.