CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-MQPQ-887P-5XGM
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590.
{
"affected": [],
"aliases": [
"CVE-2024-35049"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:39:39Z",
"severity": "CRITICAL"
},
"details": "SurveyKing v1.3.1 was discovered to keep users\u0027 sessions active after logout. Related to an incomplete fix for CVE-2022-25590.",
"id": "GHSA-mqpq-887p-5xgm",
"modified": "2024-07-03T18:41:12Z",
"published": "2024-05-14T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35049"
},
{
"type": "WEB",
"url": "https://github.com/javahuang/SurveyKing/issues/55"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MQVW-2H8P-CF8G
Vulnerability from github – Published: 2021-12-01 00:00 – Updated: 2021-12-07 00:01An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.
{
"affected": [],
"aliases": [
"CVE-2021-42545"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-30T12:15:00Z",
"severity": "CRITICAL"
},
"details": "An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH\u2019s TopEase\u00ae Platform Version \u003c= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.",
"id": "GHSA-mqvw-2h8p-cf8g",
"modified": "2021-12-07T00:01:04Z",
"published": "2021-12-01T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42545"
},
{
"type": "WEB",
"url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MQWC-6QWC-V9GQ
Vulnerability from github – Published: 2026-07-06 09:30 – Updated: 2026-07-06 21:30Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.
The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak's TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token's exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token's validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime. This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak's default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token's exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.
{
"affected": [],
"aliases": [
"CVE-2026-46455"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T09:16:36Z",
"severity": "CRITICAL"
},
"details": "Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\n\nThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak\u0027s TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token\u0027s exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token\u0027s validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\nThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak\u0027s default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token\u0027s exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.",
"id": "GHSA-mqwc-6qwc-v9gq",
"modified": "2026-07-06T21:30:36Z",
"published": "2026-07-06T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46455"
},
{
"type": "WEB",
"url": "https://camel.apache.org/security/CVE-2026-46455.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR4X-C4V9-X729
Vulnerability from github – Published: 2018-12-20 22:01 – Updated: 2025-03-14 20:26aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.6.0"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp-session"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000814"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:47:02Z",
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "HIGH"
},
"details": "aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.",
"id": "GHSA-mr4x-c4v9-x729",
"modified": "2025-03-14T20:26:12Z",
"published": "2018-12-20T22:01:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000814"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp-session/issues/325"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp-session/pull/331"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp-session/commit/1b356f01bbab57d041c9a75bacd72fbbf8524728"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mr4x-c4v9-x729"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp-session"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp-session/PYSEC-2018-35.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "aiohttp-session creates non-expiring sessions"
}
GHSA-MR8H-J9CV-4M8H
Vulnerability from github – Published: 2021-04-22 16:11 – Updated: 2021-04-22 14:30Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
- https://vaadin.com/security/cve-2021-31408
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin-bom"
},
"ranges": [
{
"events": [
{
"introduced": "18.0.0"
},
{
"fixed": "19.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-31408"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-22T14:30:10Z",
"nvd_published_at": "2021-04-23T17:15:00Z",
"severity": "MODERATE"
},
"details": "`Authentication.logout()` helper in `com.vaadin:flow-client` versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.\n\n- https://vaadin.com/security/cve-2021-31408",
"id": "GHSA-mr8h-j9cv-4m8h",
"modified": "2021-04-22T14:30:10Z",
"published": "2021-04-22T16:11:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vaadin/platform/security/advisories/GHSA-mr8h-j9cv-4m8h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31408"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/pull/10577"
},
{
"type": "WEB",
"url": "https://vaadin.com/security/cve-2021-31408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19"
}
GHSA-MW5W-R4HR-H96V
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18IBM i2 iBase 8.9.13 and 9.0.0 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 206213.
{
"affected": [],
"aliases": [
"CVE-2021-29868"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-27T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM i2 iBase 8.9.13 and 9.0.0 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 206213.",
"id": "GHSA-mw5w-r4hr-h96v",
"modified": "2022-05-24T19:18:57Z",
"published": "2022-05-24T19:18:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29868"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206213"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6508776"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MWP3-45P3-XQ9X
Vulnerability from github – Published: 2024-10-04 21:31 – Updated: 2024-10-17 15:31Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.
{
"affected": [],
"aliases": [
"CVE-2024-43685"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-04T20:15:06Z",
"severity": "HIGH"
},
"details": "Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.",
"id": "GHSA-mwp3-45p3-xq9x",
"modified": "2024-10-17T15:31:08Z",
"published": "2024-10-04T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43685"
},
{
"type": "WEB",
"url": "https://www.gruppotim.it/it/footer/red-team.html"
},
{
"type": "WEB",
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-session-token-fixation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-MXFJ-X685-FXWF
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.
{
"affected": [],
"aliases": [
"CVE-2018-1195"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-19T18:29:00Z",
"severity": "HIGH"
},
"details": "In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.",
"id": "GHSA-mxfj-x685-fxwf",
"modified": "2022-05-13T01:49:23Z",
"published": "2022-05-13T01:49:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1195"
},
{
"type": "WEB",
"url": "https://www.cloudfoundry.org/blog/cve-2018-1195"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MXG5-G3Q7-FFX3
Vulnerability from github – Published: 2023-05-05 15:30 – Updated: 2024-04-04 03:49IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179.
{
"affected": [],
"aliases": [
"CVE-2022-38707"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-05T14:15:09Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179.",
"id": "GHSA-mxg5-g3q7-ffx3",
"modified": "2024-04-04T03:49:27Z",
"published": "2023-05-05T15:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38707"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/234179"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6983274"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MXH5-F83R-VF79
Vulnerability from github – Published: 2025-09-17 18:31 – Updated: 2025-09-17 18:31CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.
{
"affected": [],
"aliases": [
"CVE-2025-35433"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T17:15:43Z",
"severity": "LOW"
},
"details": "CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.",
"id": "GHSA-mxh5-f83r-vf79",
"modified": "2025-09-17T18:31:18Z",
"published": "2025-09-17T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35433"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/thorium/commit/7c94a0b9bc2dc55e0c307360452f348bac06820c#diff-57a8b13962b268bcc3690df0f6c0d6ddeca7cbc7b05c3c20903cb07e659330eaR844-R849"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/thorium/releases/tag/1.1.1"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.