Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-5VCX-9483-28VF

Vulnerability from github – Published: 2023-05-05 21:31 – Updated: 2024-04-04 03:49
VLAI
Details

IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4914"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-05T19:15:15Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system.  IBM X-Force ID:  191290.",
  "id": "GHSA-5vcx-9483-28vf",
  "modified": "2024-04-04T03:49:54Z",
  "published": "2023-05-05T21:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4914"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/191290"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6967181"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5VJ7-M9PC-CF7G

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-12T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the \u0027secure\u0027 attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158.",
  "id": "GHSA-5vj7-m9pc-cf7g",
  "modified": "2022-05-24T17:30:31Z",
  "published": "2022-05-24T17:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4780"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189158"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6346581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5WQR-8P59-25CC

Vulnerability from github – Published: 2024-06-12 21:31 – Updated: 2024-09-06 18:31
VLAI
Details

An access control issue in Wvp GB28181 Pro 2.0 allows users to continue to access information in the application after deleting their own or administrator accounts. This is provided that the users do not log out of their deleted accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-12T21:15:50Z",
    "severity": "MODERATE"
  },
  "details": "An access control issue in Wvp GB28181 Pro 2.0 allows users to continue to access information in the application after deleting their own or administrator accounts. This is provided that the users do not log out of their deleted accounts.",
  "id": "GHSA-5wqr-8p59-25cc",
  "modified": "2024-09-06T18:31:26Z",
  "published": "2024-06-12T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36523"
    },
    {
      "type": "WEB",
      "url": "https://github.com/648540858/wvp-GB28181-pro/issues/1456"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WX3-HJMF-QCGX

Vulnerability from github – Published: 2025-05-28 18:33 – Updated: 2025-05-28 18:33
VLAI
Details

The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary, as exploited in the wild in May 2025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-28T17:15:25Z",
    "severity": "MODERATE"
  },
  "details": "The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary, as exploited in the wild in May 2025.",
  "id": "GHSA-5wx3-hjmf-qcgx",
  "modified": "2025-05-28T18:33:28Z",
  "published": "2025-05-28T18:33:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48929"
    },
    {
      "type": "WEB",
      "url": "https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XWJ-82GW-46FV

Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31
VLAI
Details

IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-17T20:22:01Z",
    "severity": "MODERATE"
  },
  "details": "IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-5xwj-82gw-46fv",
  "modified": "2026-02-17T21:31:14Z",
  "published": "2026-02-17T21:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27898"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7259901"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-624J-V5V7-QJPG

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17
VLAI
Details

A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-3188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-06T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only.",
  "id": "GHSA-624j-v5v7-qjpg",
  "modified": "2022-05-24T17:17:17Z",
  "published": "2022-05-24T17:17:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3188"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-interface-dos-FkG4MuTU"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6293-2VG2-PMP5

Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-24 00:53
VLAI
Summary
Insufficient Session Expiration in NocoDB
Details

Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.9.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.91.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-24T00:53:03Z",
    "nvd_published_at": "2022-06-13T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.9.",
  "id": "GHSA-6293-2vg2-pmp5",
  "modified": "2022-06-24T00:53:03Z",
  "published": "2022-06-14T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2064"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/pull/2262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/pull/2338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/0.91.9"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in NocoDB"
}

GHSA-62GF-43C6-CFMP

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

The system console configuration option 'log-out-on-disconnect' In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-16T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The system console configuration option \u0027log-out-on-disconnect\u0027 In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO.",
  "id": "GHSA-62gf-43c6-cfmp",
  "modified": "2022-05-24T17:30:51Z",
  "published": "2022-05-24T17:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1666"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-62QF-QM3G-FVCW

Vulnerability from github – Published: 2024-08-05 09:30 – Updated: 2026-06-05 14:15
VLAI
Summary
Apache Airflow Providers FAB Insufficient Session Expiration vulnerability
Details

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB.

This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out.  

  • FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected)

  • FAB provider 1.2.0 affected all versions of Airflow.

Users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue.

Users who run Any Apache Airflow version and have FAB provider 1.2.0 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue.

Also upgrading Apache Airflow to latest version available is recommended.

Note: Early version of Airflow reference container images of Airflow 2.9.3 and constraint files contained FAB provider 1.2.1 version, but this is fixed in updated versions of the images. 

Users are advised to pull the latest Airflow images or reinstall FAB provider according to the current constraints.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow-providers-fab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-05T16:09:33Z",
    "nvd_published_at": "2024-08-05T08:15:56Z",
    "severity": "LOW"
  },
  "details": "Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB.\n\nThis issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out.\u00a0\u00a0\n\n* FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected)\n\n* FAB provider 1.2.0 affected all versions of Airflow.\n\nUsers who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue.\n\nUsers who run Any Apache Airflow version and have FAB provider 1.2.0 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue.\n\nAlso upgrading Apache Airflow to latest version available is recommended.\n\nNote: Early version of Airflow reference container images of Airflow 2.9.3 and constraint files contained FAB provider 1.2.1 version, but this is fixed in updated versions of the images.\u00a0\n\nUsers are advised to pull the latest Airflow images or reinstall FAB provider according to the current constraints.",
  "id": "GHSA-62qf-qm3g-fvcw",
  "modified": "2026-06-05T14:15:27Z",
  "published": "2024-08-05T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42447"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/40784"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-265.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/2zoo8cjlwfjhbfdxfgltcm0hnc0qmc52"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/08/04/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Airflow Providers FAB Insufficient Session Expiration vulnerability"
}

GHSA-636J-7X7R-GVW2

Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-13 13:28
VLAI
Summary
Old sessions not blocked by login enable function in Snipe-IT
Details

Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.0-RC-5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "snipe/snipe-it"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-RC-1"
            },
            {
              "fixed": "6.0.0-RC-6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "snipe/snipe-it"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T14:11:35Z",
    "nvd_published_at": "2022-03-30T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.",
  "id": "GHSA-636j-7x7r-gvw2",
  "modified": "2022-04-13T13:28:21Z",
  "published": "2022-03-31T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1155"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snipe/snipe-it/pull/10876"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snipe/snipe-it/commit/bdabbbd4e98e88ee01e728ceb4fd512661fbd38d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/snipe/snipe-it"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snipe/snipe-it/releases/tag/v5.4.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snipe/snipe-it/releases/tag/v6.0.0-RC-6"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/ebc26354-2414-4f72-88aa-f044aec2b2e1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Old sessions not blocked by login enable function in Snipe-IT"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.