Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

875 vulnerabilities reference this CWE, most recent first.

GHSA-GHPH-4RFG-4X3F

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-05T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user\u0027s account, but the intended behavior is for those sessions to be terminated.",
  "id": "GHSA-ghph-4rfg-4x3f",
  "modified": "2022-05-24T19:10:04Z",
  "published": "2022-05-24T19:10:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37156"
    },
    {
      "type": "WEB",
      "url": "https://www.redmine.org/news/132"
    },
    {
      "type": "WEB",
      "url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GJ7P-595X-QWF5

Vulnerability from github – Published: 2026-04-15 19:19 – Updated: 2026-04-24 21:11
VLAI
Summary
Data Sharing Framework is Missing Session Timeout for OIDC Sessions
Details

Affected Components

DSF FHIR Server with enabled OIDC authentication. DSF BPE Server with enabled OIDC authentication.

Summary

OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.

Impact

If a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user's permissions. This is a realistic threat in hospital environments with shared workstations.

Only affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.

Fix (commits f4ecb00, 7d25fea)

  • Added configurable session timeout via dev.dsf.server.auth.oidc.session.timeout (default: PT30M).
  • Enabled logoutWhenIdTokenIsExpired(true) in OpenID configuration to tie session lifetime to token lifetime.
  • Websocket sessions are now closed with VIOLATED_POLICY when credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "dev.dsf:dsf-common-jetty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "dev.dsf:dsf-fhir-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "dev.dsf:dsf-bpe-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:19:43Z",
    "nvd_published_at": "2026-04-21T22:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Affected Components\nDSF FHIR Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).\nDSF BPE Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).\n\n### Summary\nOIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.\n\n### Impact\nIf a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user\u0027s permissions. This is a realistic threat in hospital environments with shared workstations.\n\nOnly affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.\n\n### Fix (commits f4ecb00, 7d25fea)\n- Added configurable session timeout via `dev.dsf.server.auth.oidc.session.timeout` (default: `PT30M`).\n- Enabled `logoutWhenIdTokenIsExpired(true)` in OpenID configuration to tie session lifetime to token lifetime.\n- Websocket sessions are now closed with `VIOLATED_POLICY` when credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.",
  "id": "GHSA-gj7p-595x-qwf5",
  "modified": "2026-04-24T21:11:02Z",
  "published": "2026-04-15T19:19:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40939"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/commit/7d25feafb83d66cb59985ac88568b67d937b1937"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7"
    },
    {
      "type": "WEB",
      "url": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html"
    },
    {
      "type": "WEB",
      "url": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/datasharingframework/dsf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Data Sharing Framework is Missing Session Timeout for OIDC Sessions"
}

GHSA-GMVP-5RF9-MXCM

Vulnerability from github – Published: 2022-05-17 04:31 – Updated: 2024-11-26 18:33
VLAI
Summary
OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events
Details

The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0a0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-5251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T21:16:54Z",
    "nvd_published_at": "2014-08-25T14:55:00Z",
    "severity": "HIGH"
  },
  "details": "The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.",
  "id": "GHSA-gmvp-5rf9-mxcm",
  "modified": "2024-11-26T18:33:49Z",
  "published": "2022-05-17T04:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/6cbf835542d62e6e5db4b4aef7141b1731cad9dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/7aee6304f653475a4130dc3e5be602e91481f108"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1347961"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2014-107.yaml"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1121.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1122.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/08/15/6"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2324-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events"
}

GHSA-GQ2M-77HF-VWGH

Vulnerability from github – Published: 2026-03-05 20:53 – Updated: 2026-03-06 22:52
VLAI
Summary
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
Details

Summary

OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).

An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.

This is a session management flaw that violates expected logout semantics.

Details

During logout:

// Logout only clears browser cookie
response.Header().Set("Set-Cookie", localCookie.String())

However, the server still accepts the session:

session := sessionStorage.Providers[provider].Sessions[sid]
...
return session

The SID is not deleted from sessionStorage.

Why vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).

File: api.go, sessions.go, local.go Lines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47 Behavior - Login → receive SID cookie - Logout → cookie cleared client-side - Replay old SID manually → still authenticated

Expected: - Logout invalidates session immediately

Actual: - Old SID remains usable until expiry

PoC

Minimal config

listenAddressSingleHTTPFrontend: 0.0.0.0:16642
authRequireGuestsToLogin: true

authLocalUsers:
  enabled: true
  users:
    - username: low
      usergroup: users
      password: "$argon2id$..."

actions:
  - title: Dummy
    id: dummy
    shell: "echo dummy"

Reproduction

Login and capture SID:

LOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \
  -H 'Content-Type: application/json' \
  -d '{"username":"low","password":"lowpass"}')

SID=$(printf '%s\n' "$LOGIN" | awk -F'[=;]' '/olivetin-sid-local/{print $2}')

Works before logout:

curl -X POST http://localhost:16642/api/WhoAmI \
  -H "Cookie: olivetin-sid-local=$SID"

Logout:

curl -X POST http://localhost:16642/api/Logout \
  -H "Cookie: olivetin-sid-local=$SID"

Replay old cookie:

curl -X POST http://localhost:16642/api/WhoAmI \
  -H "Cookie: olivetin-sid-local=$SID"

Result

User is still authenticated after logout.

Impact

Type:

Session Management Flaw

  • Logout Bypass
  • Session Replay

Risk: - Stolen cookies remain valid - Persistent unauthorized access - Users falsely believe logout ended the session

Attack scenarios: - Shared computers - XSS/session theft - Proxy logs - Malware/browser compromise

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/OliveTin/OliveTin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260304233115-d6a0abc3755d15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T20:53:08Z",
    "nvd_published_at": "2026-03-06T21:16:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nOliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default \u2248 1 year).\n\nAn attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.\n\nThis is a session management flaw that violates expected logout semantics.\n\n### Details\nDuring logout:\n```\n// Logout only clears browser cookie\nresponse.Header().Set(\"Set-Cookie\", localCookie.String())\n```\nHowever, the server still accepts the session:\n```\nsession := sessionStorage.Providers[provider].Sessions[sid]\n...\nreturn session\n```\nThe SID is not deleted from sessionStorage.\n\nWhy vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).\n\nFile: [api.go](app://-/index.html?hostId=local#), [sessions.go](app://-/index.html?hostId=local#), [local.go](app://-/index.html?hostId=local#)\nLines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47\nBehavior\n- Login \u2192 receive SID cookie\n- Logout \u2192 cookie cleared client-side\n- Replay old SID manually \u2192 still authenticated\n\nExpected:\n- Logout invalidates session immediately\n\nActual:\n- Old SID remains usable until expiry\n\n### PoC\n\nMinimal config\n```\nlistenAddressSingleHTTPFrontend: 0.0.0.0:16642\nauthRequireGuestsToLogin: true\n\nauthLocalUsers:\n  enabled: true\n  users:\n    - username: low\n      usergroup: users\n      password: \"$argon2id$...\"\n\nactions:\n  - title: Dummy\n    id: dummy\n    shell: \"echo dummy\"\n```\n\n### Reproduction\n\nLogin and capture SID:\n```\nLOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"low\",\"password\":\"lowpass\"}\u0027)\n\nSID=$(printf \u0027%s\\n\u0027 \"$LOGIN\" | awk -F\u0027[=;]\u0027 \u0027/olivetin-sid-local/{print $2}\u0027)\n```\nWorks before logout:\n```\ncurl -X POST http://localhost:16642/api/WhoAmI \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nLogout:\n```\ncurl -X POST http://localhost:16642/api/Logout \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nReplay old cookie:\n```\ncurl -X POST http://localhost:16642/api/WhoAmI \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nResult\n\nUser is still authenticated after logout.\n### Impact\nType:\n\nSession Management Flaw\n\n- Logout Bypass\n- Session Replay\n\nRisk:\n- Stolen cookies remain valid\n- Persistent unauthorized access\n- Users falsely believe logout ended the session\n\nAttack scenarios:\n- Shared computers\n- XSS/session theft\n- Proxy logs\n- Malware/browser compromise",
  "id": "GHSA-gq2m-77hf-vwgh",
  "modified": "2026-03-06T22:52:14Z",
  "published": "2026-03-05T20:53:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30224"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OliveTin/OliveTin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session"
}

GHSA-GQRR-9CVJ-JRRQ

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2023-06-19 15:30
VLAI
Details

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-2386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-06T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user\u0027s session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.",
  "id": "GHSA-gqrr-9cvj-jrrq",
  "modified": "2023-06-19T15:30:48Z",
  "published": "2022-05-24T16:52:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2386"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-38984"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GW5F-5FMC-2XP2

Vulnerability from github – Published: 2026-04-16 12:31 – Updated: 2026-04-16 12:31
VLAI
Details

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts.

The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-16T11:16:26Z",
    "severity": "MODERATE"
  },
  "details": "Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts.\n\nThe security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.",
  "id": "GHSA-gw5f-5fmc-2xp2",
  "modified": "2026-04-16T12:31:41Z",
  "published": "2026-04-16T12:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12624"
    },
    {
      "type": "WEB",
      "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4684"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GX4R-C3V7-5X28

Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-14 21:31
VLAI
Details

Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access.

Compute in Prisma Cloud Enterprise Edition is not affected by this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-14T19:15:52Z",
    "severity": "LOW"
  },
  "details": "Web sessions in the web interface of Palo Alto Networks Prisma\u00ae Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access.\n\nCompute in Prisma Cloud Enterprise Edition is not affected by this issue.",
  "id": "GHSA-gx4r-c3v7-5x28",
  "modified": "2025-05-14T21:31:18Z",
  "published": "2025-05-14T21:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0138"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2025-0138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H23J-73WW-7594

Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-14 15:37
VLAI
Summary
Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin
Details

Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:oic-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.421.v5422614eb"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-14T15:37:51Z",
    "nvd_published_at": "2024-11-13T21:15:29Z",
    "severity": "HIGH"
  },
  "details": "Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.",
  "id": "GHSA-h23j-73ww-7594",
  "modified": "2024-11-14T15:37:51Z",
  "published": "2024-11-13T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52553"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/oic-auth-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3473"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin"
}

GHSA-H24C-CC8X-FQ2G

Vulnerability from github – Published: 2022-08-05 00:00 – Updated: 2022-08-11 00:00
VLAI
Details

In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-04T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user\u0027s iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-h24c-cc8x-fq2g",
  "modified": "2022-08-11T00:00:30Z",
  "published": "2022-08-05T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35728"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K55580033"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2F3-6HHF-J7CC

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-30T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.",
  "id": "GHSA-h2f3-6hhf-j7cc",
  "modified": "2022-05-24T19:12:32Z",
  "published": "2022-05-24T19:12:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39113"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-72573"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.