Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-C3W2-9VQM-66R7

Vulnerability from github – Published: 2024-01-10 00:30 – Updated: 2024-01-10 00:30
VLAI
Details

A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-09T23:15:09Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability.",
  "id": "GHSA-c3w2-9vqm-66r7",
  "modified": "2024-01-10T00:30:23Z",
  "published": "2024-01-10T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0350"
    },
    {
      "type": "WEB",
      "url": "https://mega.nz/file/fckFBASJ#lffaC0xY44ri9Ln-7hrUbUtq2GTiE8roiW8guR7QeVE"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.250118"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.250118"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4HJ-8XP2-799F

Vulnerability from github – Published: 2025-10-30 00:31 – Updated: 2025-10-30 00:31
VLAI
Details

On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-29T23:16:18Z",
    "severity": "MODERATE"
  },
  "details": "On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired",
  "id": "GHSA-c4hj-8xp2-799f",
  "modified": "2025-10-30T00:31:02Z",
  "published": "2025-10-30T00:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54547"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22538-security-advisory-0124"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5QW-PGMJ-MR6G

Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05
VLAI
Details

A vulnerability in the SRX Series Service Gateway allows deleted dynamic VPN users to establish dynamic VPN connections until the device is rebooted. A deleted dynamic VPN connection should be immediately disallowed from establishing new VPN connections. Due to an error in token caching, deleted users are allowed to connect once a previously successful dynamic VPN connection has been established. A reboot is required to clear the cached authentication token. Affected releases are Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D75; 15.1X49 versions prior to 15.1X49-D150; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-15T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the SRX Series Service Gateway allows deleted dynamic VPN users to establish dynamic VPN connections until the device is rebooted. A deleted dynamic VPN connection should be immediately disallowed from establishing new VPN connections. Due to an error in token caching, deleted users are allowed to connect once a previously successful dynamic VPN connection has been established. A reboot is required to clear the cached authentication token. Affected releases are Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D75; 15.1X49 versions prior to 15.1X49-D150; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.",
  "id": "GHSA-c5qw-pgmj-mr6g",
  "modified": "2022-05-13T01:05:18Z",
  "published": "2022-05-13T01:05:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0015"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10915"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106668"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C673-WFH5-4255

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:39
VLAI
Details

Insufficient session validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-14T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Insufficient session validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access.",
  "id": "GHSA-c673-wfh5-4255",
  "modified": "2024-04-04T02:39:29Z",
  "published": "2022-05-24T17:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11168"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K64346530?utm_source=f5support\u0026amp%3Butm_medium=RSS"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K64346530?utm_source=f5support\u0026amp;utm_medium=RSS"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00313.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8FF-V2JW-PMF5

Vulnerability from github – Published: 2022-05-17 00:24 – Updated: 2022-05-17 00:24
VLAI
Details

Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-03T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended.",
  "id": "GHSA-c8ff-v2jw-pmf5",
  "modified": "2022-05-17T00:24:07Z",
  "published": "2022-05-17T00:24:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000135"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/mahara/+bug/1348024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8XW-VJGF-94HR

Vulnerability from github – Published: 2023-08-23 17:50 – Updated: 2025-06-24 17:14
VLAI
Summary
Argo CD web terminal session doesn't expire
Details

Impact

All versions of Argo CD starting from v2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already.

Patches

A patch for this vulnerability has been released in the following Argo CD version:

  • v2.6.14
  • v2.7.12
  • v2.8.1

Workarounds

The only way to completely resolve the issue is to upgrade.

Mitigations

Disable web-based terminal or define RBAC rules to it https://argo-cd.readthedocs.io/en/latest/operator-manual/web_based_terminal/

For more information

If you have any questions or comments about this advisory: * Open an issue in the Argo CD issue tracker or discussions * Join us on Slack in channel #argo-cd

Credits

Thank you to bean.zhang (@zhlu32 ) of HIT-IDS ChunkL Team who discovered the issue and reported it confidentially according to our guidelines.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.8.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-20230718200744-12a5a7a70d6e"
            },
            {
              "fixed": "2.0.0-20230821201509-e047efa8f951"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-23T17:50:41Z",
    "nvd_published_at": "2023-08-23T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAll versions of Argo CD starting from v2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already.\n\n### Patches\nA patch for this vulnerability has been released in the following Argo CD version:\n\n* v2.6.14\n* v2.7.12\n* v2.8.1\n\n### Workarounds\nThe only way to completely resolve the issue is to upgrade.\n\n#### Mitigations\nDisable web-based terminal or define RBAC rules to it\n[https://argo-cd.readthedocs.io/en/latest/operator-manual/web_based_terminal/](https://argo-cd.readthedocs.io/en/latest/operator-manual/web_based_terminal/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\n\nThank you to bean.zhang (@zhlu32 ) of HIT-IDS ChunkL Team who discovered the issue and reported it confidentially according to our [guidelines](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability).",
  "id": "GHSA-c8xw-vjgf-94hr",
  "modified": "2025-06-24T17:14:53Z",
  "published": "2023-08-23T17:50:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40025"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo CD web terminal session doesn\u0027t expire"
}

GHSA-C92R-G8J5-VHCX

Vulnerability from github – Published: 2026-04-09 12:31 – Updated: 2026-04-10 19:33
VLAI
Summary
Apache Airflow: JWT token still valid after logout
Details

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:33:21Z",
    "nvd_published_at": "2026-04-09T11:16:20Z",
    "severity": "CRITICAL"
  },
  "details": "When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+\n\n\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue.",
  "id": "GHSA-c92r-g8j5-vhcx",
  "modified": "2026-04-10T19:33:21Z",
  "published": "2026-04-09T12:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/56633"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/61339"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Airflow: JWT token still valid after logout"
}

GHSA-C9H6-V78W-52WJ

Vulnerability from github – Published: 2024-04-17 18:25 – Updated: 2025-03-14 20:25
VLAI
Summary
Keycloak vulnerable to session hijacking via re-authentication
Details

A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "24.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-17T18:25:29Z",
    "nvd_published_at": "2024-04-25T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session.",
  "id": "GHSA-c9h6-v78w-52wj",
  "modified": "2025-03-14T20:25:54Z",
  "published": "2024-04-17T18:25:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-c9h6-v78w-52wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6787"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1867"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1868"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-6787"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254375"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak vulnerable to session hijacking via re-authentication"
}

GHSA-CC2Q-7R88-56Q9

Vulnerability from github – Published: 2026-02-27 03:30 – Updated: 2026-03-05 21:30
VLAI
Details

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T01:16:20Z",
    "severity": "HIGH"
  },
  "details": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests.",
  "id": "GHSA-cc2q-7r88-56q9",
  "modified": "2026-03-05T21:30:27Z",
  "published": "2026-02-27T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26290"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-07.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07"
    },
    {
      "type": "WEB",
      "url": "https://www.ev.energy/en-us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CC4R-2RWJ-VX7X

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-19T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.",
  "id": "GHSA-cc4r-2rwj-vx7x",
  "modified": "2022-05-24T17:42:42Z",
  "published": "2022-05-24T17:42:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27351"
    },
    {
      "type": "WEB",
      "url": "https://0ffsecninja.github.io/Telegram:CVE-2021-2735.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202105-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.