CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-M8H2-GG48-M54F
Vulnerability from github – Published: 2025-07-18 09:30 – Updated: 2025-07-18 09:30An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin's session even after the admin user was deleted.
{
"affected": [],
"aliases": [
"CVE-2024-27779"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-18T08:15:25Z",
"severity": "MODERATE"
},
"details": "An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin\u0027s session even after the admin user was deleted.",
"id": "GHSA-m8h2-gg48-m54f",
"modified": "2025-07-18T09:30:31Z",
"published": "2025-07-18T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27779"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-035"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MC87-MP22-885H
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2.
{
"affected": [],
"aliases": [
"CVE-2022-2820"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-384",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2.",
"id": "GHSA-mc87-mp22-885h",
"modified": "2022-08-17T00:00:23Z",
"published": "2022-08-16T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2820"
},
{
"type": "WEB",
"url": "https://github.com/namelessmc/nameless/commit/469bebc17855720e43f0c8209c88a57d2b55f6de"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/df06b7d7-6077-43a5-bd81-3cc66f0d4d19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MF3V-F2QQ-PF9G
Vulnerability from github – Published: 2022-03-14 22:30 – Updated: 2022-03-15 21:48Impact
The reset password token was not set to null after the password was changed. This is causing behaviour in which the same token can be used several times, so it can result in a leak of the existing token and an unauthorised password change.
Patches
The issue is fixed in versions: 1.10.11, 1.11.2 and above
Workarounds
You have to overwrite your Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler class using this code:
<?php
declare(strict_types=1);
namespace App\CommandHandler\Account;
use Sylius\Bundle\ApiBundle\Command\Account\ResetPassword;
use Sylius\Component\Core\Model\ShopUserInterface;
use Sylius\Component\Resource\Metadata\MetadataInterface;
use Sylius\Component\User\Repository\UserRepositoryInterface;
use Sylius\Component\User\Security\PasswordUpdaterInterface;
use Symfony\Component\Messenger\Handler\MessageHandlerInterface;
use Webmozart\Assert\Assert;
final class ResetPasswordHandler implements MessageHandlerInterface
{
private UserRepositoryInterface $userRepository;
private MetadataInterface $metadata;
private PasswordUpdaterInterface $passwordUpdater;
public function __construct(
UserRepositoryInterface $userRepository,
MetadataInterface $metadata,
PasswordUpdaterInterface $passwordUpdater
) {
$this->userRepository = $userRepository;
$this->metadata = $metadata;
$this->passwordUpdater = $passwordUpdater;
}
public function __invoke(ResetPassword $command): void
{
/** @var ShopUserInterface|null $user */
$user = $this->userRepository->findOneBy(['passwordResetToken' => $command->resetPasswordToken]);
Assert::notNull($user, 'No user found with reset token: ' . $command->resetPasswordToken);
$resetting = $this->metadata->getParameter('resetting');
$lifetime = new \DateInterval($resetting['token']['ttl']);
if (!$user->isPasswordRequestNonExpired($lifetime)) {
throw new \InvalidArgumentException('Password reset token has expired');
}
if ($command->resetPasswordToken !== $user->getPasswordResetToken()) {
throw new \InvalidArgumentException('Password reset token does not match.');
}
$user->setPlainPassword($command->newPassword);
$this->passwordUpdater->updatePassword($user);
$user->setPasswordResetToken(null);
}
}
And register it in container:
App\CommandHandler\Account\ResetPasswordHandler:
arguments:
- '@sylius.repository.shop_user'
- !service
class: Sylius\Component\Resource\Metadata\MetadataInterface
factory: [ '@sylius.resource_registry', 'get' ]
arguments:
- 'sylius.shop_user'
- '@sylius.security.password_updater'
tags:
- { name: messenger.message_handler, bus: sylius.command_bus }
- { name: messenger.message_handler, bus: sylius_default.bus }
For more information
If you have any questions or comments about this advisory: * Open an issue in Sylius issues * Email us at security@sylius.com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24743"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-14T22:30:46Z",
"nvd_published_at": "2022-03-14T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe reset password token was not set to null after the password was changed. This is causing behaviour in which the same token can be used several times, so it can result in a leak of the existing token and an unauthorised password change.\n\n### Patches\nThe issue is fixed in versions: 1.10.11, 1.11.2 and above\n\n### Workarounds\nYou have to overwrite your `Sylius\\Bundle\\ApiBundle\\CommandHandler\\ResetPasswordHandler` class using this code:\n\n```php\n\u003c?php\ndeclare(strict_types=1);\n\nnamespace App\\CommandHandler\\Account;\n\nuse Sylius\\Bundle\\ApiBundle\\Command\\Account\\ResetPassword;\nuse Sylius\\Component\\Core\\Model\\ShopUserInterface;\nuse Sylius\\Component\\Resource\\Metadata\\MetadataInterface;\nuse Sylius\\Component\\User\\Repository\\UserRepositoryInterface;\nuse Sylius\\Component\\User\\Security\\PasswordUpdaterInterface;\nuse Symfony\\Component\\Messenger\\Handler\\MessageHandlerInterface;\nuse Webmozart\\Assert\\Assert;\n\nfinal class ResetPasswordHandler implements MessageHandlerInterface\n{\n private UserRepositoryInterface $userRepository;\n private MetadataInterface $metadata;\n private PasswordUpdaterInterface $passwordUpdater;\n\n public function __construct(\n UserRepositoryInterface $userRepository,\n MetadataInterface $metadata,\n PasswordUpdaterInterface $passwordUpdater\n ) {\n $this-\u003euserRepository = $userRepository;\n $this-\u003emetadata = $metadata;\n $this-\u003epasswordUpdater = $passwordUpdater;\n }\n\n public function __invoke(ResetPassword $command): void\n {\n /** @var ShopUserInterface|null $user */\n $user = $this-\u003euserRepository-\u003efindOneBy([\u0027passwordResetToken\u0027 =\u003e $command-\u003eresetPasswordToken]);\n\n Assert::notNull($user, \u0027No user found with reset token: \u0027 . $command-\u003eresetPasswordToken);\n\n $resetting = $this-\u003emetadata-\u003egetParameter(\u0027resetting\u0027);\n $lifetime = new \\DateInterval($resetting[\u0027token\u0027][\u0027ttl\u0027]);\n\n if (!$user-\u003eisPasswordRequestNonExpired($lifetime)) {\n throw new \\InvalidArgumentException(\u0027Password reset token has expired\u0027);\n }\n\n if ($command-\u003eresetPasswordToken !== $user-\u003egetPasswordResetToken()) {\n throw new \\InvalidArgumentException(\u0027Password reset token does not match.\u0027);\n }\n\n $user-\u003esetPlainPassword($command-\u003enewPassword);\n\n $this-\u003epasswordUpdater-\u003eupdatePassword($user);\n $user-\u003esetPasswordResetToken(null);\n }\n}\n```\nAnd register it in container:\n\n```yaml\n\nApp\\CommandHandler\\Account\\ResetPasswordHandler:\n arguments:\n - \u0027@sylius.repository.shop_user\u0027\n - !service\n class: Sylius\\Component\\Resource\\Metadata\\MetadataInterface\n factory: [ \u0027@sylius.resource_registry\u0027, \u0027get\u0027 ]\n arguments:\n - \u0027sylius.shop_user\u0027\n - \u0027@sylius.security.password_updater\u0027\n tags:\n - { name: messenger.message_handler, bus: sylius.command_bus }\n - { name: messenger.message_handler, bus: sylius_default.bus }\n \n```\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at [security@sylius.com](mailto:security@sylius.com)\n",
"id": "GHSA-mf3v-f2qq-pf9g",
"modified": "2022-03-15T21:48:34Z",
"published": "2022-03-14T22:30:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24743"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in Sylius"
}
GHSA-MF52-J94G-746M
Vulnerability from github – Published: 2026-06-21 03:30 – Updated: 2026-06-21 03:30A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-12772"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-21T03:16:22Z",
"severity": "LOW"
},
"details": "A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.",
"id": "GHSA-mf52-j94g-746m",
"modified": "2026-06-21T03:30:24Z",
"published": "2026-06-21T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12772"
},
{
"type": "WEB",
"url": "https://gist.github.com/YLChen-007/39ed709ce322431658a05b951e91f278"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-12772"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/811281"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/372514"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/372514/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MF79-F657-47WW
Vulnerability from github – Published: 2022-03-20 00:00 – Updated: 2022-03-28 15:39Admidio prior to version 4.1.9 is vulnerable to insufficient session expiration. In vulnerable versions, changing the password in one session does not terminate sessions logged in with the old password, which could lead to unauthorized actors maintaining access to an account.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0991"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-28T15:39:13Z",
"nvd_published_at": "2022-03-19T08:15:00Z",
"severity": "HIGH"
},
"details": "Admidio prior to version 4.1.9 is vulnerable to insufficient session expiration. In vulnerable versions, changing the password in one session does not terminate sessions logged in with the old password, which could lead to unauthorized actors maintaining access to an account.",
"id": "GHSA-mf79-f657-47ww",
"modified": "2022-03-28T15:39:13Z",
"published": "2022-03-20T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0991"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/issues/1238"
},
{
"type": "WEB",
"url": "https://github.com/admidio/admidio/commit/e84e472ebe517e2ff5795c46dc10b5f49dc4d46a"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/releases/tag/v4.1.9"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1c406a4e-15d0-4920-8495-731c48473ba4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in Admidio"
}
GHSA-MFH8-V6RJ-QXF5
Vulnerability from github – Published: 2022-05-17 00:23 – Updated: 2022-05-17 00:23iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens.
{
"affected": [],
"aliases": [
"CVE-2017-6145"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-20T15:29:00Z",
"severity": "HIGH"
},
"details": "iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens.",
"id": "GHSA-mfh8-v6rj-qxf5",
"modified": "2022-05-17T00:23:45Z",
"published": "2022-05-17T00:23:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6145"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K22317030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MGJ2-Q8WP-29RR
Vulnerability from github – Published: 2022-12-13 17:06 – Updated: 2022-12-13 17:06Problem
When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions.
Solution
Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.
References
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.33"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.5.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.33"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.5.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23502"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T17:06:07Z",
"nvd_published_at": "2022-12-14T08:15:00Z",
"severity": "MODERATE"
},
"details": "### Problem\nWhen users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions.\n\n### Solution\nUpdate to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.\n\n### References\n* [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014)\n",
"id": "GHSA-mgj2-q8wp-29rr",
"modified": "2022-12-13T17:06:07Z",
"published": "2022-12-13T17:06:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23502"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/d9ffbf24fcc62068033ebb3912538347bd380a6c"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23502.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23502.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3/typo3"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2022-014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset"
}
GHSA-MMMM-CHJF-JMVW
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2023-01-24 18:35When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. Affected versions are: >=1.79.0, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "gitaly"
},
"ranges": [
{
"events": [
{
"introduced": "1.79.0"
},
{
"fixed": "13.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "gitaly"
},
"ranges": [
{
"events": [
{
"introduced": "13.4"
},
{
"fixed": "13.4.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "gitaly"
},
"ranges": [
{
"events": [
{
"introduced": "13.5"
},
{
"fixed": "13.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-13353"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-24T18:35:04Z",
"nvd_published_at": "2020-11-17T01:15:00Z",
"severity": "LOW"
},
"details": "When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. Affected versions are: \u003e=1.79.0, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2.",
"id": "GHSA-mmmm-chjf-jmvw",
"modified": "2023-01-24T18:35:04Z",
"published": "2022-05-24T17:34:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13353"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/gitaly/CVE-2020-13353.yml"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json"
},
{
"type": "PACKAGE",
"url": "https://gitlab.com/gitlab-org/gitaly"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitaly/-/issues/2882"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gitaly Insufficient Session Expiration vulnerability"
}
GHSA-MQ7J-4CJ9-75X8
Vulnerability from github – Published: 2023-03-15 21:30 – Updated: 2023-03-19 06:30IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710.
{
"affected": [],
"aliases": [
"CVE-2023-22591"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-15T21:15:00Z",
"severity": "LOW"
},
"details": "IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710.",
"id": "GHSA-mq7j-4cj9-75x8",
"modified": "2023-03-19T06:30:24Z",
"published": "2023-03-15T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22591"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/243710"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6962175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MQJ8-MFFF-XRQX
Vulnerability from github – Published: 2024-12-20 15:30 – Updated: 2024-12-20 15:30In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles
{
"affected": [],
"aliases": [
"CVE-2024-56351"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-20T15:15:08Z",
"severity": "MODERATE"
},
"details": "In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles",
"id": "GHSA-mqj8-mfff-xrqx",
"modified": "2024-12-20T15:30:48Z",
"published": "2024-12-20T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56351"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.