CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
872 vulnerabilities reference this CWE, most recent first.
GHSA-VM6P-35RW-3FXC
Vulnerability from github – Published: 2022-08-09 00:00 – Updated: 2022-08-18 19:14Cockpit before version 2.2.0 is vulnerable to Insufficient Session Expiration. The application does not validate requests after password changes, allowing a user to change their account details even after an admin changes their password.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "aheinze/cockpit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2713"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-18T19:14:08Z",
"nvd_published_at": "2022-08-08T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Cockpit before version 2.2.0 is vulnerable to Insufficient Session Expiration. The application does not validate requests after password changes, allowing a user to change their account details even after an admin changes their password.",
"id": "GHSA-vm6p-35rw-3fxc",
"modified": "2022-08-18T19:14:08Z",
"published": "2022-08-09T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2713"
},
{
"type": "WEB",
"url": "https://github.com/cockpit-hq/cockpit/commit/dd8d0314912fa6517ebd2cc9939d9fafbe68731b"
},
{
"type": "PACKAGE",
"url": "https://github.com/cockpit-hq/cockpit"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3080fc96-75d7-4868-84de-9fc8c9b90290"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cockpit before 2.2.0 vulnerable to Insufficient Session Expiration"
}
GHSA-VP66-GF7W-9M4X
Vulnerability from github – Published: 2024-02-17 06:30 – Updated: 2024-02-20 23:47All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/greenpau/caddy-security"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21492"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-20T23:47:50Z",
"nvd_published_at": "2024-02-17T05:15:08Z",
"severity": "MODERATE"
},
"details": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the \"Sign Out\" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.",
"id": "GHSA-vp66-gf7w-9m4x",
"modified": "2024-02-20T23:47:50Z",
"published": "2024-02-17T06:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21492"
},
{
"type": "WEB",
"url": "https://github.com/greenpau/caddy-security/issues/272"
},
{
"type": "WEB",
"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787"
},
{
"type": "PACKAGE",
"url": "github.com/greenpau/caddy-security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in github.com/greenpau/caddy-security"
}
GHSA-VPFW-47H7-XJ4G
Vulnerability from github – Published: 2025-05-08 14:45 – Updated: 2025-05-09 14:34Summary
When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.
Details
Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.
Impact
When using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.
Mitigation
- Update to the latest version of
rack, or - Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a
logged_outflag, instead of deleting them, and check this flag on every request to prevent reuse, or - Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.
Related
As this code was moved to rack-session in Rack 3+, see https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj for the equivalent advisory in rack-session (affecting Rack 3+ only).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.13"
},
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32441"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-367",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-08T14:45:18Z",
"nvd_published_at": "2025-05-07T23:15:53Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nWhen using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.\n\n### Details\n\n[Rack session middleware](https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270) prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.\n\n### Impact\n\nWhen using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.\n\n## Mitigation\n\n- Update to the latest version of `rack`, or\n- Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse, or\n- Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.\n\n### Related\n\nAs this code was moved to `rack-session` in Rack 3+, see \u003chttps://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj\u003e for the equivalent advisory in `rack-session` (affecting Rack 3+ only).",
"id": "GHSA-vpfw-47h7-xj4g",
"modified": "2025-05-09T14:34:16Z",
"published": "2025-05-08T14:45:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32441"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-32441.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Rack session gets restored after deletion"
}
GHSA-VQ32-QXMX-986V
Vulnerability from github – Published: 2023-07-31 03:30 – Updated: 2023-07-31 03:30Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.
{
"affected": [],
"aliases": [
"CVE-2023-4005"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-31T01:15:09Z",
"severity": "LOW"
},
"details": "Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.",
"id": "GHSA-vq32-qxmx-986v",
"modified": "2023-07-31T03:30:23Z",
"published": "2023-07-31T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4005"
},
{
"type": "WEB",
"url": "https://github.com/fossbilling/fossbilling/commit/20c23b051eb690cb4ae60a257f6bb46eb3aae2d1"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/f0aacce1-79bc-4765-95f1-7e824433b9e4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VR2W-6JC9-59FH
Vulnerability from github – Published: 2022-10-24 19:00 – Updated: 2022-10-24 19:00Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
{
"affected": [],
"aliases": [
"CVE-2021-46279"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-24T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.",
"id": "GHSA-vr2w-6jc9-59fh",
"modified": "2022-10-24T19:00:16Z",
"published": "2022-10-24T19:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46279"
},
{
"type": "WEB",
"url": "https://github.com/CVEProject/cvelist/blob/master/2021/46xxx/CVE-2021-46279.json"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories/CVE-2021-46279"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VR7M-C6V4-8CX8
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-08 19:45A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoke_token() call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with FabAuthManager or KeycloakAuthManager (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side revoke_token() reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to apache-airflow 3.2.2 or later to cover the FAB / Keycloak logout paths.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48726"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-08T19:45:43Z",
"nvd_published_at": "2026-06-01T09:16:20Z",
"severity": "MODERATE"
},
"details": "A bug in Apache Airflow\u0027s auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.",
"id": "GHSA-vr7m-c6v4-8cx8",
"modified": "2026-07-08T19:45:43Z",
"published": "2026-06-01T09:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48726"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/67289"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-187.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57735"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow: Auth manager doesn\u0027t invalidate JWT tokens after users click logout"
}
GHSA-VWF2-F9CG-9FG8
Vulnerability from github – Published: 2023-06-19 06:30 – Updated: 2024-04-04 04:56In Siren Investigate before 13.2.2, session keys remain active even after logging out.
{
"affected": [],
"aliases": [
"CVE-2023-35857"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-19T04:15:11Z",
"severity": "CRITICAL"
},
"details": "In Siren Investigate before 13.2.2, session keys remain active even after logging out.",
"id": "GHSA-vwf2-f9cg-9fg8",
"modified": "2024-04-04T04:56:00Z",
"published": "2023-06-19T06:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35857"
},
{
"type": "WEB",
"url": "https://community.siren.io/c/announcements"
},
{
"type": "WEB",
"url": "https://docs.support.siren.io/siren-platform-user-guide/13.2/release-notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWHP-8JH2-Q93M
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-04 00:01Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.
{
"affected": [],
"aliases": [
"CVE-2014-2595"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-12T01:15:00Z",
"severity": "CRITICAL"
},
"details": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.",
"id": "GHSA-vwhp-8jh2-q93m",
"modified": "2024-04-04T00:01:17Z",
"published": "2022-05-17T19:57:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2595"
},
{
"type": "WEB",
"url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39278"
},
{
"type": "WEB",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/bid/69028"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Aug/5"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/109782"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWJ8-4GRF-3R8V
Vulnerability from github – Published: 2022-05-24 22:29 – Updated: 2025-06-27 20:08In implementation for the portal services before 5.7.3 in Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:com.liferay.portal.impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.10.fp96"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0"
},
{
"fixed": "7.1.10.fp18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.2.0"
},
{
"fixed": "7.2.10.fp5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-33322"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-27T20:08:13Z",
"nvd_published_at": "2021-08-03T19:15:00Z",
"severity": "HIGH"
},
"details": "In implementation for the portal services before 5.7.3 in Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user\u2019s password via the old password reset token.",
"id": "GHSA-vwj8-4grf-3r8v",
"modified": "2025-06-27T20:08:14Z",
"published": "2022-05-24T22:29:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33322"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/8f072ee8527a1dd5c0ffa91c4a78641d0e666b95"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/9fe453b34f58286a504d995be8ba50499adcf1b7"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-16981"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-33322-password-change-does-not-invalidate-password-reset-tokens?p_r_p_assetEntryId=121610648\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121610648%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal and Liferay DXP fails to invalidate password reset tokens after use"
}
GHSA-VX8M-6FHW-PCCW
Vulnerability from github – Published: 2023-08-21 20:13 – Updated: 2023-08-21 20:13Summary
The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter.
Details
It was noticed that in the validatePostRequestAsync() flow in saml.js, the current timestamp is never checked. This could present a vulnerability where a user who has an XML LogoutRequest could validated it if the IssueInstance and the NotOnOrAfter are valid along with valid credentials (signature, certificate etc.).
PoC
I was able to validate a sample valid LogoutRequest XML multiple times through postman by sending it to my endpoint regardless if the current present time was past the NotOnOrAfter time. After some further testing, it seems that only the IssueInstance is checked against NotOnOrAfter. Not sure if this was the intended behaviour but I believe having a never expiring valid LogoutRequest could be dangerous.
Impact
This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@node-saml/node-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40178"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-21T20:13:05Z",
"nvd_published_at": "2023-08-23T21:15:08Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. \n\n### Details\n\nIt was noticed that in the validatePostRequestAsync() flow in saml.js, the current timestamp is never checked. This could present a vulnerability where a user who has an XML LogoutRequest could validated it if the IssueInstance and the NotOnOrAfter are valid along with valid credentials (signature, certificate etc.). \n\n### PoC\n\nI was able to validate a sample valid LogoutRequest XML multiple times through postman by sending it to my endpoint regardless if the current present time was past the NotOnOrAfter time. After some further testing, it seems that only the IssueInstance is checked against NotOnOrAfter. Not sure if this was the intended behaviour but I believe having a never expiring valid LogoutRequest could be dangerous.\n\n### Impact\n\nThis could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale.\n",
"id": "GHSA-vx8m-6fhw-pccw",
"modified": "2023-08-21T20:13:05Z",
"published": "2023-08-21T20:13:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/node-saml/node-saml/security/advisories/GHSA-vx8m-6fhw-pccw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40178"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/node-saml/commit/045e3b9c54211fdb95f96edf363679845b195cec"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-saml/node-saml"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/node-saml/releases/tag/v4.0.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "@node-saml/node-saml\u0027s validatePostRequestAsync does not include checkTimestampsValidityError"
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.