CWE-324
AllowedUse of a Key Past its Expiration Date
Abstraction: Base · Status: Draft
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
41 vulnerabilities reference this CWE, most recent first.
CVE-2024-7318 (GCVE-0-2024-7318)
Vulnerability from cvelistv5 – Published: 2024-09-09 18:50 – Updated: 2026-01-26 15:11- CWE-324 - Use of a Key Past its Expiration Date
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:6502 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:6503 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2024-7318 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2301876 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
0 , < 24.0.7
(semver)
Affected: 25.0.0 , < 25.0.4 (semver) |
|||
| Red Hat | Red Hat Build of Keycloak |
cpe:/a:redhat:build_keycloak:24 |
|
| Red Hat | Red Hat build of Keycloak 24 |
Unaffected:
24.0.7-4 , < *
(rpm)
cpe:/a:redhat:build_keycloak:24::el9 |
|
| Red Hat | Red Hat build of Keycloak 24 |
Unaffected:
24-16 , < *
(rpm)
cpe:/a:redhat:build_keycloak:24::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7318",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T19:08:16.666351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T19:08:33.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/keycloak/keycloak",
"defaultStatus": "unaffected",
"packageName": "keycloak-core",
"versions": [
{
"lessThan": "24.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "25.0.4",
"status": "affected",
"version": "25.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:24"
],
"defaultStatus": "unaffected",
"packageName": "keycloak-core",
"product": "Red Hat Build of Keycloak",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:24::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 24",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "24.0.7-4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:24::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 24",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "24-16",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:24::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 24",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "24-16",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Todd Cullum (Red Hat)."
}
],
"datePublic": "2024-09-09T13:55:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.\r\nA one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T15:11:07.763Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:6502",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:6502"
},
{
"name": "RHSA-2024:6503",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:6503"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-7318"
},
{
"name": "RHBZ#2301876",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301876"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-31T03:04:38.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-09-09T13:55:00.000Z",
"value": "Made public."
}
],
"title": "Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-324: Use of a Key Past its Expiration Date"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-7318",
"datePublished": "2024-09-09T18:50:36.583Z",
"dateReserved": "2024-07-31T03:04:15.355Z",
"dateUpdated": "2026-01-26T15:11:07.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6299 (GCVE-0-2024-6299)
Vulnerability from cvelistv5 – Published: 2024-06-25 13:02 – Updated: 2024-08-29 15:04- CWE-324 - Use of a Key Past its Expiration Date
| Vendor | Product | Version | |
|---|---|---|---|
| The Conduit Contributors | Conduit |
Affected:
0 , < 0.8.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T13:58:35.120104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:58.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:05.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Conduit",
"vendor": "The Conduit Contributors",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maltsev for finding vulnerability, Matthias Ahouansou for fixing it"
}
],
"descriptions": [
{
"lang": "en",
"value": "Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324: Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:04:59.770Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0"
},
{
"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.8.0"
}
],
"title": "Use of a Key Past its Expiration Date in Conduit"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2024-6299",
"datePublished": "2024-06-25T13:02:25.979Z",
"dateReserved": "2024-06-25T10:30:35.803Z",
"dateUpdated": "2024-08-29T15:04:59.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5342 (GCVE-0-2023-5342)
Vulnerability from cvelistv5 – Published: 2025-08-15 12:06 – Updated: 2025-08-15 12:57- CWE-324 - Use of a Key Past its Expiration Date
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2023-5342 | vdb-entryx_refsource_REDHAT |
| https://bodhi.fedoraproject.org/updates/FEDORA-20… | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2198977 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2388707 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
15.6-2 , < 15.8-2
(rpm)
|
|||
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T12:56:07.496868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T12:57:37.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://koji.fedoraproject.org/koji/packageinfo?packageID=14502",
"defaultStatus": "unaffected",
"packageName": "shim-x64",
"versions": [
{
"lessThan": "15.8-2",
"status": "affected",
"version": "15.6-2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "shim",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "shim",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "shim",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "shim",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2024-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T12:06:35.309Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-5342"
},
{
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-2aa28a4cfc"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2198977"
},
{
"name": "RHBZ#2388707",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388707"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-14T19:49:02.481Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-03-14T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Shim: expired secure boot certificate",
"x_redhatCweChain": "CWE-324: Use of a Key Past its Expiration Date"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2023-5342",
"datePublished": "2025-08-15T12:06:35.309Z",
"dateReserved": "2023-10-02T16:08:44.422Z",
"dateUpdated": "2025-08-15T12:57:37.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35401 (GCVE-0-2022-35401)
Vulnerability from cvelistv5 – Published: 2023-01-10 20:44 – Updated: 2025-03-05 19:35- CWE-324 - Use of a Key Past its Expiration Date
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1586"
},
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1586",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1586"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35401",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:42:32.178676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T19:35:53.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RT-AX82U",
"vendor": "Asus",
"versions": [
{
"status": "affected",
"version": "3.0.0.4.386_49674-ge182230"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324: Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T20:44:50.554Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1586",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1586"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2022-35401",
"datePublished": "2023-01-10T20:44:50.554Z",
"dateReserved": "2022-07-26T18:51:32.220Z",
"dateUpdated": "2025-03-05T19:35:53.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24732 (GCVE-0-2022-24732)
Vulnerability from cvelistv5 – Published: 2022-03-09 19:40 – Updated: 2025-04-23 18:56| URL | Tags |
|---|---|
| https://github.com/foxcpp/maddy/security/advisori… | x_refsource_CONFIRM |
| https://github.com/foxcpp/maddy/commit/7ee6a39c6a… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.847Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:25.376848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:56:33.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "maddy",
"vendor": "foxcpp",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324: Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T19:40:08.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583"
}
],
"source": {
"advisory": "GHSA-6cp7-g972-w9m9",
"discovery": "UNKNOWN"
},
"title": "Maddy Mail Server does not implement account expiry",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24732",
"STATE": "PUBLIC",
"TITLE": "Maddy Mail Server does not implement account expiry"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "maddy",
"version": {
"version_data": [
{
"version_value": "\u003c 0.5.4"
}
]
}
}
]
},
"vendor_name": "foxcpp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-324: Use of a Key Past its Expiration Date"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9",
"refsource": "CONFIRM",
"url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9"
},
{
"name": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583",
"refsource": "MISC",
"url": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583"
}
]
},
"source": {
"advisory": "GHSA-6cp7-g972-w9m9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24732",
"datePublished": "2022-03-09T19:40:08.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:56:33.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2447 (GCVE-0-2022-2447)
Vulnerability from cvelistv5 – Published: 2022-09-01 20:30 – Updated: 2024-08-03 00:39| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2105419 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2022-2447 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | openstack-keystone |
Affected:
openstack-keystone as shipped in Red Hat OpenStack 16.1 and 16.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105419"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-2447"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openstack-keystone",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "openstack-keystone as shipped in Red Hat OpenStack 16.1 and 16.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-19T19:55:57.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105419"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-2447"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-2447",
"datePublished": "2022-09-01T20:30:20.000Z",
"dateReserved": "2022-07-16T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:39:07.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33020 (GCVE-0-2021-33020)
Vulnerability from cvelistv5 – Published: 2022-04-01 22:17 – Updated: 2025-04-16 16:33- CWE-324 - Use of a Key Past its Expiration Date
| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsma-… | x_refsource_CONFIRM |
| http://www.philips.com/productsecurity | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Philips | Vue PACS |
Affected:
unspecified , ≤ 12.2.x.x
(custom)
|
|
| Philips | Vue MyVue |
Affected:
unspecified , ≤ 12.2.x.x
(custom)
|
|
| Philips | Vue Speech |
Affected:
unspecified , ≤ 12.2.x.x
(custom)
|
|
| Philips | Vue Motion |
Affected:
unspecified , ≤ 12.2.1.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:42:19.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-187-01"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.philips.com/productsecurity"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-33020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:58:07.250796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:33:04.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vue PACS",
"vendor": "Philips",
"versions": [
{
"lessThanOrEqual": "12.2.x.x",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Vue MyVue",
"vendor": "Philips",
"versions": [
{
"lessThanOrEqual": "12.2.x.x",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Vue Speech",
"vendor": "Philips",
"versions": [
{
"lessThanOrEqual": "12.2.x.x",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Vue Motion",
"vendor": "Philips",
"versions": [
{
"lessThanOrEqual": "12.2.1.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philips reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"value": "Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324: Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T22:17:17.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-187-01"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.philips.com/productsecurity"
}
],
"solutions": [
{
"lang": "en",
"value": "Philips has released the following plans to address these vulnerabilities:\nPhilips recommends configuring the Vue PACS environment per D000763414 \u2013 Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter.\nPhilips released Version 12.2.1.5 in June of 2020 for Vue Motion to remediate this issue and recommends contacting support.\nReleases are subject to country specific regulations. Users with questions regarding their specific Philips Vue PACS installations and new release eligibility should contact a Philips Sales representative or submit a quote request in the eService portal at: Login - eService (philips.com)\n\nThe Philips advisory is available. Please see the Philips product security website for the latest security information for Philips products."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Philips Vue PACS Use of a Key Past its Expiration Date",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2021-33020",
"STATE": "PUBLIC",
"TITLE": "Philips Vue PACS Use of a Key Past its Expiration Date"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Vue PACS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.2.x.x"
}
]
}
},
{
"product_name": "Vue MyVue",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.2.x.x"
}
]
}
},
{
"product_name": "Vue Speech",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.2.x.x"
}
]
}
},
{
"product_name": "Vue Motion",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "12.2.1.5"
}
]
}
}
]
},
"vendor_name": "Philips"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Philips reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-324: Use of a Key Past its Expiration Date"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-187-01",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-187-01"
},
{
"name": "http://www.philips.com/productsecurity",
"refsource": "CONFIRM",
"url": "http://www.philips.com/productsecurity"
}
]
},
"solution": [
{
"lang": "en",
"value": "Philips has released the following plans to address these vulnerabilities:\nPhilips recommends configuring the Vue PACS environment per D000763414 \u2013 Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter.\nPhilips released Version 12.2.1.5 in June of 2020 for Vue Motion to remediate this issue and recommends contacting support.\nReleases are subject to country specific regulations. Users with questions regarding their specific Philips Vue PACS installations and new release eligibility should contact a Philips Sales representative or submit a quote request in the eService portal at: Login - eService (philips.com)\n\nThe Philips advisory is available. Please see the Philips product security website for the latest security information for Philips products."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-33020",
"datePublished": "2022-04-01T22:17:17.000Z",
"dateReserved": "2021-05-13T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:33:04.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3790 (GCVE-0-2019-3790)
Vulnerability from cvelistv5 – Published: 2019-06-06 19:16 – Updated: 2024-09-16 22:20- CWE-324 - Use of a Key Past its Expiration Date
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/108512 | vdb-entryx_refsource_BID |
| https://pivotal.io/security/cve-2019-3790 | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Pivotal | Pivotal Ops Manager |
Affected:
2.3 , < 2.3.16
(custom)
Affected: 2.4 , < 2.4.11 (custom) Affected: 2.2 , < 2.2.23 (custom) Affected: 2.5 , < 2.5.3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.470Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "108512",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108512"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-3790"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal Ops Manager",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "2.3.16",
"status": "affected",
"version": "2.3",
"versionType": "custom"
},
{
"lessThan": "2.4.11",
"status": "affected",
"version": "2.4",
"versionType": "custom"
},
{
"lessThan": "2.2.23",
"status": "affected",
"version": "2.2",
"versionType": "custom"
},
{
"lessThan": "2.5.3",
"status": "affected",
"version": "2.5",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324: Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-06T19:17:33.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "108512",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108512"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-3790"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Ops Manager uaa client issues tokens after refresh token expiration",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2019-05-28T13:47:10.000Z",
"ID": "CVE-2019-3790",
"STATE": "PUBLIC",
"TITLE": "Ops Manager uaa client issues tokens after refresh token expiration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal Ops Manager",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.3",
"version_value": "2.3.16"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.4",
"version_value": "2.4.11"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.2",
"version_value": "2.2.23"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.5",
"version_value": "2.5.3"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-324: Use of a Key Past its Expiration Date"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "108512",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108512"
},
{
"name": "https://pivotal.io/security/cve-2019-3790",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3790"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3790",
"datePublished": "2019-06-06T19:16:16.854Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:20:48.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-263C-689V-JCFH
Vulnerability from github – Published: 2024-05-22 21:30 – Updated: 2024-05-22 21:30IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive calendar information using an expired access token. IBM X-Force ID: 288174.
{
"affected": [],
"aliases": [
"CVE-2024-31893"
],
"database_specific": {
"cwe_ids": [
"CWE-324",
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-22T19:15:08Z",
"severity": "MODERATE"
},
"details": "IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive calendar information using an expired access token. IBM X-Force ID: 288174.",
"id": "GHSA-263c-689v-jcfh",
"modified": "2024-05-22T21:30:35Z",
"published": "2024-05-22T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31893"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/288174"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7154606"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-283C-79HH-MFP9
Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2024-06-25 15:31Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date
{
"affected": [],
"aliases": [
"CVE-2024-6299"
],
"database_specific": {
"cwe_ids": [
"CWE-324"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T13:15:50Z",
"severity": "MODERATE"
},
"details": "Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date",
"id": "GHSA-283c-79hh-mfp9",
"modified": "2024-06-25T15:31:08Z",
"published": "2024-06-25T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6299"
},
{
"type": "WEB",
"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12"
},
{
"type": "WEB",
"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.
No CAPEC attack patterns related to this CWE.