CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-GHPH-4RFG-4X3F
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.
{
"affected": [],
"aliases": [
"CVE-2021-37156"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-05T21:15:00Z",
"severity": "HIGH"
},
"details": "Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user\u0027s account, but the intended behavior is for those sessions to be terminated.",
"id": "GHSA-ghph-4rfg-4x3f",
"modified": "2022-05-24T19:10:04Z",
"published": "2022-05-24T19:10:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37156"
},
{
"type": "WEB",
"url": "https://www.redmine.org/news/132"
},
{
"type": "WEB",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GJ7P-595X-QWF5
Vulnerability from github – Published: 2026-04-15 19:19 – Updated: 2026-04-24 21:11Affected Components
DSF FHIR Server with enabled OIDC authentication. DSF BPE Server with enabled OIDC authentication.
Summary
OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.
Impact
If a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user's permissions. This is a realistic threat in hospital environments with shared workstations.
Only affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.
Fix (commits f4ecb00, 7d25fea)
- Added configurable session timeout via
dev.dsf.server.auth.oidc.session.timeout(default:PT30M). - Enabled
logoutWhenIdTokenIsExpired(true)in OpenID configuration to tie session lifetime to token lifetime. - Websocket sessions are now closed with
VIOLATED_POLICYwhen credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.1.0"
},
"package": {
"ecosystem": "Maven",
"name": "dev.dsf:dsf-common-jetty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.1.0"
},
"package": {
"ecosystem": "Maven",
"name": "dev.dsf:dsf-fhir-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.1.0"
},
"package": {
"ecosystem": "Maven",
"name": "dev.dsf:dsf-bpe-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40939"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-15T19:19:43Z",
"nvd_published_at": "2026-04-21T22:16:19Z",
"severity": "MODERATE"
},
"details": "### Affected Components\nDSF FHIR Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).\nDSF BPE Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).\n\n### Summary\nOIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.\n\n### Impact\nIf a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user\u0027s permissions. This is a realistic threat in hospital environments with shared workstations.\n\nOnly affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.\n\n### Fix (commits f4ecb00, 7d25fea)\n- Added configurable session timeout via `dev.dsf.server.auth.oidc.session.timeout` (default: `PT30M`).\n- Enabled `logoutWhenIdTokenIsExpired(true)` in OpenID configuration to tie session lifetime to token lifetime.\n- Websocket sessions are now closed with `VIOLATED_POLICY` when credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.",
"id": "GHSA-gj7p-595x-qwf5",
"modified": "2026-04-24T21:11:02Z",
"published": "2026-04-15T19:19:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40939"
},
{
"type": "WEB",
"url": "https://github.com/datasharingframework/dsf/commit/7d25feafb83d66cb59985ac88568b67d937b1937"
},
{
"type": "WEB",
"url": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7"
},
{
"type": "WEB",
"url": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html"
},
{
"type": "WEB",
"url": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/datasharingframework/dsf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Data Sharing Framework is Missing Session Timeout for OIDC Sessions"
}
GHSA-GMVP-5RF9-MXCM
Vulnerability from github – Published: 2022-05-17 04:31 – Updated: 2024-11-26 18:33The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0a0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-5251"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T21:16:54Z",
"nvd_published_at": "2014-08-25T14:55:00Z",
"severity": "HIGH"
},
"details": "The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.",
"id": "GHSA-gmvp-5rf9-mxcm",
"modified": "2024-11-26T18:33:49Z",
"published": "2022-05-17T04:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5251"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/6cbf835542d62e6e5db4b4aef7141b1731cad9dc"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/7aee6304f653475a4130dc3e5be602e91481f108"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1347961"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2014-107.yaml"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1121.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1122.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/08/15/6"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2324-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events"
}
GHSA-GQ2M-77HF-VWGH
Vulnerability from github – Published: 2026-03-05 20:53 – Updated: 2026-03-06 22:52Summary
OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).
An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.
This is a session management flaw that violates expected logout semantics.
Details
During logout:
// Logout only clears browser cookie
response.Header().Set("Set-Cookie", localCookie.String())
However, the server still accepts the session:
session := sessionStorage.Providers[provider].Sessions[sid]
...
return session
The SID is not deleted from sessionStorage.
Why vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).
File: api.go, sessions.go, local.go Lines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47 Behavior - Login → receive SID cookie - Logout → cookie cleared client-side - Replay old SID manually → still authenticated
Expected: - Logout invalidates session immediately
Actual: - Old SID remains usable until expiry
PoC
Minimal config
listenAddressSingleHTTPFrontend: 0.0.0.0:16642
authRequireGuestsToLogin: true
authLocalUsers:
enabled: true
users:
- username: low
usergroup: users
password: "$argon2id$..."
actions:
- title: Dummy
id: dummy
shell: "echo dummy"
Reproduction
Login and capture SID:
LOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \
-H 'Content-Type: application/json' \
-d '{"username":"low","password":"lowpass"}')
SID=$(printf '%s\n' "$LOGIN" | awk -F'[=;]' '/olivetin-sid-local/{print $2}')
Works before logout:
curl -X POST http://localhost:16642/api/WhoAmI \
-H "Cookie: olivetin-sid-local=$SID"
Logout:
curl -X POST http://localhost:16642/api/Logout \
-H "Cookie: olivetin-sid-local=$SID"
Replay old cookie:
curl -X POST http://localhost:16642/api/WhoAmI \
-H "Cookie: olivetin-sid-local=$SID"
Result
User is still authenticated after logout.
Impact
Type:
Session Management Flaw
- Logout Bypass
- Session Replay
Risk: - Stolen cookies remain valid - Persistent unauthorized access - Users falsely believe logout ended the session
Attack scenarios: - Shared computers - XSS/session theft - Proxy logs - Malware/browser compromise
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/OliveTin/OliveTin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260304233115-d6a0abc3755d15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30224"
],
"database_specific": {
"cwe_ids": [
"CWE-384",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-05T20:53:08Z",
"nvd_published_at": "2026-03-06T21:16:16Z",
"severity": "MODERATE"
},
"details": "### Summary\nOliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default \u2248 1 year).\n\nAn attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.\n\nThis is a session management flaw that violates expected logout semantics.\n\n### Details\nDuring logout:\n```\n// Logout only clears browser cookie\nresponse.Header().Set(\"Set-Cookie\", localCookie.String())\n```\nHowever, the server still accepts the session:\n```\nsession := sessionStorage.Providers[provider].Sessions[sid]\n...\nreturn session\n```\nThe SID is not deleted from sessionStorage.\n\nWhy vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).\n\nFile: [api.go](app://-/index.html?hostId=local#), [sessions.go](app://-/index.html?hostId=local#), [local.go](app://-/index.html?hostId=local#)\nLines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47\nBehavior\n- Login \u2192 receive SID cookie\n- Logout \u2192 cookie cleared client-side\n- Replay old SID manually \u2192 still authenticated\n\nExpected:\n- Logout invalidates session immediately\n\nActual:\n- Old SID remains usable until expiry\n\n### PoC\n\nMinimal config\n```\nlistenAddressSingleHTTPFrontend: 0.0.0.0:16642\nauthRequireGuestsToLogin: true\n\nauthLocalUsers:\n enabled: true\n users:\n - username: low\n usergroup: users\n password: \"$argon2id$...\"\n\nactions:\n - title: Dummy\n id: dummy\n shell: \"echo dummy\"\n```\n\n### Reproduction\n\nLogin and capture SID:\n```\nLOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"username\":\"low\",\"password\":\"lowpass\"}\u0027)\n\nSID=$(printf \u0027%s\\n\u0027 \"$LOGIN\" | awk -F\u0027[=;]\u0027 \u0027/olivetin-sid-local/{print $2}\u0027)\n```\nWorks before logout:\n```\ncurl -X POST http://localhost:16642/api/WhoAmI \\\n -H \"Cookie: olivetin-sid-local=$SID\"\n```\nLogout:\n```\ncurl -X POST http://localhost:16642/api/Logout \\\n -H \"Cookie: olivetin-sid-local=$SID\"\n```\nReplay old cookie:\n```\ncurl -X POST http://localhost:16642/api/WhoAmI \\\n -H \"Cookie: olivetin-sid-local=$SID\"\n```\nResult\n\nUser is still authenticated after logout.\n### Impact\nType:\n\nSession Management Flaw\n\n- Logout Bypass\n- Session Replay\n\nRisk:\n- Stolen cookies remain valid\n- Persistent unauthorized access\n- Users falsely believe logout ended the session\n\nAttack scenarios:\n- Shared computers\n- XSS/session theft\n- Proxy logs\n- Malware/browser compromise",
"id": "GHSA-gq2m-77hf-vwgh",
"modified": "2026-03-06T22:52:14Z",
"published": "2026-03-05T20:53:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30224"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/OliveTin/OliveTin"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session"
}
GHSA-GQRR-9CVJ-JRRQ
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2023-06-19 15:30After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.
{
"affected": [],
"aliases": [
"CVE-2019-2386"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-06T19:15:00Z",
"severity": "MODERATE"
},
"details": "After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user\u0027s session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.",
"id": "GHSA-gqrr-9cvj-jrrq",
"modified": "2023-06-19T15:30:48Z",
"published": "2022-05-24T16:52:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2386"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-38984"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GW5F-5FMC-2XP2
Vulnerability from github – Published: 2026-04-16 12:31 – Updated: 2026-04-16 12:31Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts.
The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.
{
"affected": [],
"aliases": [
"CVE-2025-12624"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T11:16:26Z",
"severity": "MODERATE"
},
"details": "Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts.\n\nThe security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.",
"id": "GHSA-gw5f-5fmc-2xp2",
"modified": "2026-04-16T12:31:41Z",
"published": "2026-04-16T12:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12624"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4684"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GX4R-C3V7-5X28
Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-14 21:31Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access.
Compute in Prisma Cloud Enterprise Edition is not affected by this issue.
{
"affected": [],
"aliases": [
"CVE-2025-0138"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-14T19:15:52Z",
"severity": "LOW"
},
"details": "Web sessions in the web interface of Palo Alto Networks Prisma\u00ae Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access.\n\nCompute in Prisma Cloud Enterprise Edition is not affected by this issue.",
"id": "GHSA-gx4r-c3v7-5x28",
"modified": "2025-05-14T21:31:18Z",
"published": "2025-05-14T21:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0138"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2025-0138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-H23J-73WW-7594
Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-14 15:37Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:oic-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.421.v5422614eb"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52553"
],
"database_specific": {
"cwe_ids": [
"CWE-384",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-14T15:37:51Z",
"nvd_published_at": "2024-11-13T21:15:29Z",
"severity": "HIGH"
},
"details": "Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.",
"id": "GHSA-h23j-73ww-7594",
"modified": "2024-11-14T15:37:51Z",
"published": "2024-11-13T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52553"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/oic-auth-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3473"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin"
}
GHSA-H24C-CC8X-FQ2G
Vulnerability from github – Published: 2022-08-05 00:00 – Updated: 2022-08-11 00:00In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2022-35728"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-04T18:15:00Z",
"severity": "CRITICAL"
},
"details": "In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user\u0027s iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-h24c-cc8x-fq2g",
"modified": "2022-08-11T00:00:30Z",
"published": "2022-08-05T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35728"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K55580033"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2F3-6HHF-J7CC
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.
{
"affected": [],
"aliases": [
"CVE-2021-39113"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-30T07:15:00Z",
"severity": "HIGH"
},
"details": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.",
"id": "GHSA-h2f3-6hhf-j7cc",
"modified": "2022-05-24T19:12:32Z",
"published": "2022-05-24T19:12:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39113"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.