Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-7MRH-JRCG-WC76

Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2024-06-21 21:33
VLAI
Details

By sending specific queries to the resolver, an attacker can cause named to crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3080"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-21T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "By sending specific queries to the resolver, an attacker can cause named to crash.",
  "id": "GHSA-7mrh-jrcg-wc76",
  "modified": "2024-06-21T21:33:52Z",
  "published": "2022-09-22T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3080"
    },
    {
      "type": "WEB",
      "url": "https://kb.isc.org/docs/cve-2022-3080"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-25"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240621-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5235"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/09/21/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7MRW-F6G3-G543

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20378"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-07T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709.",
  "id": "GHSA-7mrw-f6g3-g543",
  "modified": "2022-05-24T19:06:59Z",
  "published": "2022-05-24T19:06:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20378"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/195709"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6469407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7PR3-55XW-4RXX

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force ID: 196342.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-26T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM i2 Analyst\u0027s Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force ID: 196342.",
  "id": "GHSA-7pr3-55xw-4rxx",
  "modified": "2022-05-24T19:09:14Z",
  "published": "2022-05-24T19:09:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20431"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196342"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6474865"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7RRH-86WH-4Q5P

Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2022-05-20 00:00
VLAI
Details

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-10T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been identified in Desigo DXR2 (All versions \u003c V01.21.142.5-22), Desigo PXC3 (All versions \u003c V01.21.142.4-18), Desigo PXC4 (All versions \u003c V02.20.142.10-10884), Desigo PXC5 (All versions \u003c V02.20.142.10-10884). The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.",
  "id": "GHSA-7rrh-86wh-4q5p",
  "modified": "2022-05-20T00:00:37Z",
  "published": "2022-05-11T00:01:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24042"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RWQ-Q3MJ-F9QW

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-20007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-01T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal\u0027s security advisory policy.",
  "id": "GHSA-7rwq-q3mj-f9qw",
  "modified": "2022-05-24T17:37:32Z",
  "published": "2022-05-24T17:37:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20007"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/node/2744889"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7V3X-H7R2-34JV

Vulnerability from github – Published: 2022-01-21 18:43 – Updated: 2022-01-20 16:18
VLAI
Summary
Insufficient Session Expiration in Pterodactyl API
Details

Impact

A vulnerability exists in Pterodactyl Panel <= 1.6.6 that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to.

It is important to note that a malicious user must first compromise an existing API key for a user to exploit this issue. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key.

Patches

This issue has been addressed in the v1.7.0 release of Pterodactyl Panel.

Workarounds

Those not wishing to upgrade may apply the change below:

diff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php
index eb25dac6..857bfab2 100644
--- a/app/Http/Middleware/Api/AuthenticateKey.php
+++ b/app/Http/Middleware/Api/AuthenticateKey.php
@@ -70,7 +70,7 @@ class AuthenticateKey
         } else {
             $model = $this->authenticateApiKey($request->bearerToken(), $keyType);

-            $this->auth->guard()->loginUsingId($model->user_id);
+            $this->auth->guard()->onceUsingId($model->user_id);
         }

For more information

If you have any questions or comments about this advisory please reach out to Tactical Fish#8008 on Discord or email dane@pterodactyl.io.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pterodactyl/panel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-20T16:18:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nA vulnerability exists in Pterodactyl Panel `\u003c= 1.6.6` that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to.\n\nIt is important to note that **a malicious user must first compromise an existing API key for a user to exploit this issue**. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key.\n\n### Patches\nThis issue has been addressed in the `v1.7.0` release of Pterodactyl Panel.\n\n### Workarounds\nThose not wishing to upgrade may apply the change below:\n\n```diff\ndiff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php\nindex eb25dac6..857bfab2 100644\n--- a/app/Http/Middleware/Api/AuthenticateKey.php\n+++ b/app/Http/Middleware/Api/AuthenticateKey.php\n@@ -70,7 +70,7 @@ class AuthenticateKey\n         } else {\n             $model = $this-\u003eauthenticateApiKey($request-\u003ebearerToken(), $keyType);\n\n-            $this-\u003eauth-\u003eguard()-\u003eloginUsingId($model-\u003euser_id);\n+            $this-\u003eauth-\u003eguard()-\u003eonceUsingId($model-\u003euser_id);\n         }\n```\n\n### For more information\nIf you have any questions or comments about this advisory please reach out to `Tactical Fish#8008` on [Discord](https://discord.gg/pterodactyl) or email `dane@pterodactyl.io`.\n",
  "id": "GHSA-7v3x-h7r2-34jv",
  "modified": "2022-01-20T16:18:28Z",
  "published": "2022-01-21T18:43:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/commit/dfa329ddf242908b60e22e3340ea36359eab1ef4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pterodactyl/panel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/releases/tag/v1.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in Pterodactyl API"
}

GHSA-7V43-V54C-P26H

Vulnerability from github – Published: 2023-12-30 00:30 – Updated: 2024-04-25 15:30
VLAI
Details

An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage to the system's integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-18T14:15:09Z",
    "severity": "HIGH"
  },
  "details": "An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage to the system\u0027s integrity.",
  "id": "GHSA-7v43-v54c-p26h",
  "modified": "2024-04-25T15:30:36Z",
  "published": "2023-12-30T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4320"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2010"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4320"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2231814"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WPG-27G9-F8VC

Vulnerability from github – Published: 2026-07-11 00:31 – Updated: 2026-07-11 00:31
VLAI
Details

Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T23:16:48Z",
    "severity": "HIGH"
  },
  "details": "Multiple connections to the backend using the same charging station ID \nare allowed, which could allow an attacker to deploy multiple instances \nof malicious OCPP clients to overwhelm the backend.",
  "id": "GHSA-7wpg-27g9-f8vc",
  "modified": "2026-07-11T00:31:50Z",
  "published": "2026-07-11T00:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44383"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-188-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
    },
    {
      "type": "WEB",
      "url": "https://www.hydroquebec.com/nous-joindre"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7XCG-CX52-VR25

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-10-01 00:00
VLAI
Details

An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. Because of implicitly remembered user-login information, physically proximate attackers can use a user session after browser closure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-18T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. Because of implicitly remembered user-login information, physically proximate attackers can use a user session after browser closure.",
  "id": "GHSA-7xcg-cx52-vr25",
  "modified": "2022-10-01T00:00:25Z",
  "published": "2022-05-24T17:28:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15774"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradle/gradle/security/advisories"
    },
    {
      "type": "WEB",
      "url": "https://security.gradle.com/advisory/CVE-2020-15774"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7XFQ-9M67-9J5J

Vulnerability from github – Published: 2024-07-05 03:30 – Updated: 2025-11-05 00:31
VLAI
Details

KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-05T02:15:10Z",
    "severity": "HIGH"
  },
  "details": "KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory.",
  "id": "GHSA-7xfq-9m67-9j5j",
  "modified": "2025-11-05T00:31:17Z",
  "published": "2024-07-05T03:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KDE/plasma-workspace/tags"
    },
    {
      "type": "WEB",
      "url": "https://invent.kde.org/plasma/plasma-workspace"
    },
    {
      "type": "WEB",
      "url": "https://kde.org/info/security/advisory-20240531-1.txt"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43YGQJGB5I33UBRY2OHXTPXIEESZLZ6N"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNOZWSWXAR6EM3VIUJRSAI3L4QPURQPC"
    },
    {
      "type": "WEB",
      "url": "https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.