Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

872 vulnerabilities reference this CWE, most recent first.

GHSA-VM6P-35RW-3FXC

Vulnerability from github – Published: 2022-08-09 00:00 – Updated: 2022-08-18 19:14
VLAI
Summary
Cockpit before 2.2.0 vulnerable to Insufficient Session Expiration
Details

Cockpit before version 2.2.0 is vulnerable to Insufficient Session Expiration. The application does not validate requests after password changes, allowing a user to change their account details even after an admin changes their password.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aheinze/cockpit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-18T19:14:08Z",
    "nvd_published_at": "2022-08-08T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Cockpit before version 2.2.0 is vulnerable to Insufficient Session Expiration. The application does not validate requests after password changes, allowing a user to change their account details even after an admin changes their password.",
  "id": "GHSA-vm6p-35rw-3fxc",
  "modified": "2022-08-18T19:14:08Z",
  "published": "2022-08-09T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cockpit-hq/cockpit/commit/dd8d0314912fa6517ebd2cc9939d9fafbe68731b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cockpit-hq/cockpit"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3080fc96-75d7-4868-84de-9fc8c9b90290"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cockpit before 2.2.0 vulnerable to Insufficient Session Expiration"
}

GHSA-VP66-GF7W-9M4X

Vulnerability from github – Published: 2024-02-17 06:30 – Updated: 2024-02-20 23:47
VLAI
Summary
Insufficient Session Expiration in github.com/greenpau/caddy-security
Details

All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/greenpau/caddy-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-20T23:47:50Z",
    "nvd_published_at": "2024-02-17T05:15:08Z",
    "severity": "MODERATE"
  },
  "details": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the \"Sign Out\" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.",
  "id": "GHSA-vp66-gf7w-9m4x",
  "modified": "2024-02-20T23:47:50Z",
  "published": "2024-02-17T06:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/greenpau/caddy-security/issues/272"
    },
    {
      "type": "WEB",
      "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787"
    },
    {
      "type": "PACKAGE",
      "url": "github.com/greenpau/caddy-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in github.com/greenpau/caddy-security"
}

GHSA-VPFW-47H7-XJ4G

Vulnerability from github – Published: 2025-05-08 14:45 – Updated: 2025-05-09 14:34
VLAI
Summary
Rack session gets restored after deletion
Details

Summary

When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.

Details

Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.

Impact

When using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.

Mitigation

  • Update to the latest version of rack, or
  • Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a logged_out flag, instead of deleting them, and check this flag on every request to prevent reuse, or
  • Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.

Related

As this code was moved to rack-session in Rack 3+, see https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj for the equivalent advisory in rack-session (affecting Rack 3+ only).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.13"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-367",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-08T14:45:18Z",
    "nvd_published_at": "2025-05-07T23:15:53Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWhen using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.\n\n### Details\n\n[Rack session middleware](https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270) prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.\n\n### Impact\n\nWhen using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.\n\n## Mitigation\n\n- Update to the latest version of `rack`, or\n- Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse, or\n- Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.\n\n### Related\n\nAs this code was moved to `rack-session` in Rack 3+, see \u003chttps://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj\u003e for the equivalent advisory in `rack-session` (affecting Rack 3+ only).",
  "id": "GHSA-vpfw-47h7-xj4g",
  "modified": "2025-05-09T14:34:16Z",
  "published": "2025-05-08T14:45:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32441"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-32441.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rack session gets restored after deletion"
}

GHSA-VQ32-QXMX-986V

Vulnerability from github – Published: 2023-07-31 03:30 – Updated: 2023-07-31 03:30
VLAI
Details

Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-31T01:15:09Z",
    "severity": "LOW"
  },
  "details": "Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.",
  "id": "GHSA-vq32-qxmx-986v",
  "modified": "2023-07-31T03:30:23Z",
  "published": "2023-07-31T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4005"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fossbilling/fossbilling/commit/20c23b051eb690cb4ae60a257f6bb46eb3aae2d1"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f0aacce1-79bc-4765-95f1-7e824433b9e4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR2W-6JC9-59FH

Vulnerability from github – Published: 2022-10-24 19:00 – Updated: 2022-10-24 19:00
VLAI
Details

Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-24T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.",
  "id": "GHSA-vr2w-6jc9-59fh",
  "modified": "2022-10-24T19:00:16Z",
  "published": "2022-10-24T19:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46279"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CVEProject/cvelist/blob/master/2021/46xxx/CVE-2021-46279.json"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories/CVE-2021-46279"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR7M-C6V4-8CX8

Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-08 19:45
VLAI
Summary
Apache Airflow: Auth manager doesn't invalidate JWT tokens after users click logout
Details

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoke_token() call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with FabAuthManager or KeycloakAuthManager (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side revoke_token() reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to apache-airflow 3.2.2 or later to cover the FAB / Keycloak logout paths.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-08T19:45:43Z",
    "nvd_published_at": "2026-06-01T09:16:20Z",
    "severity": "MODERATE"
  },
  "details": "A bug in Apache Airflow\u0027s auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.",
  "id": "GHSA-vr7m-c6v4-8cx8",
  "modified": "2026-07-08T19:45:43Z",
  "published": "2026-06-01T09:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48726"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/67289"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-187.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-57735"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Airflow: Auth manager doesn\u0027t invalidate JWT tokens after users click logout"
}

GHSA-VWF2-F9CG-9FG8

Vulnerability from github – Published: 2023-06-19 06:30 – Updated: 2024-04-04 04:56
VLAI
Details

In Siren Investigate before 13.2.2, session keys remain active even after logging out.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-19T04:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "In Siren Investigate before 13.2.2, session keys remain active even after logging out.",
  "id": "GHSA-vwf2-f9cg-9fg8",
  "modified": "2024-04-04T04:56:00Z",
  "published": "2023-06-19T06:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35857"
    },
    {
      "type": "WEB",
      "url": "https://community.siren.io/c/announcements"
    },
    {
      "type": "WEB",
      "url": "https://docs.support.siren.io/siren-platform-user-guide/13.2/release-notes.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWHP-8JH2-Q93M

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-04 00:01
VLAI
Details

Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-2595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-12T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.",
  "id": "GHSA-vwhp-8jh2-q93m",
  "modified": "2024-04-04T00:01:17Z",
  "published": "2022-05-17T19:57:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2595"
    },
    {
      "type": "WEB",
      "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/39278"
    },
    {
      "type": "WEB",
      "url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595"
    },
    {
      "type": "WEB",
      "url": "https://www.securityfocus.com/bid/69028"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Aug/5"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/109782"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWJ8-4GRF-3R8V

Vulnerability from github – Published: 2022-05-24 22:29 – Updated: 2025-06-27 20:08
VLAI
Summary
Liferay Portal and Liferay DXP fails to invalidate password reset tokens after use
Details

In implementation for the portal services before 5.7.3 in Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:com.liferay.portal.impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.10.fp96"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.10.fp18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.2.10.fp5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-33322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-27T20:08:13Z",
    "nvd_published_at": "2021-08-03T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "In implementation for the portal services before 5.7.3 in Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user\u2019s password via the old password reset token.",
  "id": "GHSA-vwj8-4grf-3r8v",
  "modified": "2025-06-27T20:08:14Z",
  "published": "2022-05-24T22:29:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33322"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/8f072ee8527a1dd5c0ffa91c4a78641d0e666b95"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/9fe453b34f58286a504d995be8ba50499adcf1b7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-16981"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-33322-password-change-does-not-invalidate-password-reset-tokens?p_r_p_assetEntryId=121610648\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121610648%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Liferay Portal and Liferay DXP fails to invalidate password reset tokens after use"
}

GHSA-VX8M-6FHW-PCCW

Vulnerability from github – Published: 2023-08-21 20:13 – Updated: 2023-08-21 20:13
VLAI
Summary
@node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
Details

Summary

The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter.

Details

It was noticed that in the validatePostRequestAsync() flow in saml.js, the current timestamp is never checked. This could present a vulnerability where a user who has an XML LogoutRequest could validated it if the IssueInstance and the NotOnOrAfter are valid along with valid credentials (signature, certificate etc.).

PoC

I was able to validate a sample valid LogoutRequest XML multiple times through postman by sending it to my endpoint regardless if the current present time was past the NotOnOrAfter time. After some further testing, it seems that only the IssueInstance is checked against NotOnOrAfter. Not sure if this was the intended behaviour but I believe having a never expiring valid LogoutRequest could be dangerous.

Impact

This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@node-saml/node-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40178"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-21T20:13:05Z",
    "nvd_published_at": "2023-08-23T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. \n\n### Details\n\nIt was noticed that in the validatePostRequestAsync() flow in saml.js, the current timestamp is never checked. This could present a vulnerability where a user who has an XML LogoutRequest could validated it if the IssueInstance and the NotOnOrAfter are valid along with valid credentials (signature, certificate etc.). \n\n### PoC\n\nI was able to validate a sample valid LogoutRequest XML multiple times through postman by sending it to my endpoint regardless if the current present time was past the NotOnOrAfter time. After some further testing, it seems that only the IssueInstance is checked against NotOnOrAfter. Not sure if this was the intended behaviour but I believe having a never expiring valid LogoutRequest could be dangerous.\n\n### Impact\n\nThis could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale.\n",
  "id": "GHSA-vx8m-6fhw-pccw",
  "modified": "2023-08-21T20:13:05Z",
  "published": "2023-08-21T20:13:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/security/advisories/GHSA-vx8m-6fhw-pccw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40178"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/commit/045e3b9c54211fdb95f96edf363679845b195cec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/node-saml/node-saml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/releases/tag/v4.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@node-saml/node-saml\u0027s validatePostRequestAsync does not include checkTimestampsValidityError"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.