CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CVE-2021-3844 (GCVE-0-2021-3844)
Vulnerability from cvelistv5 – Published: 2023-03-24 16:37 – Updated: 2025-02-19 20:27
VLAI
Title
Rapid7 InsightVM Insufficient Session Expiration
Summary
Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638.
Severity
5.7 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://docs.rapid7.com/insightvm/enable-insightv… | release-notes |
| https://www.cve.org/cverecord?id=CVE-2019-5638 | related |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://docs.rapid7.com/insightvm/enable-insightvm-platform-login"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.cve.org/cverecord?id=CVE-2019-5638"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3844",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T20:27:03.595822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T20:27:19.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InsightVM",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "6.5.50",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ashutosh Barot"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user\u0027s password is changed by an administrator due to an otherwise unrelated credential leak, that user account\u0027s current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to\u0026nbsp;CVE-2019-5638."
}
],
"value": "Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user\u0027s password is changed by an administrator due to an otherwise unrelated credential leak, that user account\u0027s current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to\u00a0CVE-2019-5638."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-24T16:38:26.619Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.rapid7.com/insightvm/enable-insightvm-platform-login"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/cverecord?id=CVE-2019-5638"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rapid7 InsightVM Insufficient Session Expiration",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2021-3844",
"datePublished": "2023-03-24T16:37:56.633Z",
"dateReserved": "2021-09-30T17:25:53.996Z",
"dateUpdated": "2025-02-19T20:27:19.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41247 (GCVE-0-2021-41247)
Vulnerability from cvelistv5 – Published: 2021-11-04 17:15 – Updated: 2024-08-04 03:08
VLAI
Title
incomplete logout in JupyterHub
Summary
JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. The only workaround is to make sure that only one JupyterLab tab is open when you log out.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jupyterhub/jupyterhub/security… | x_refsource_CONFIRM |
| https://github.com/jupyterhub/jupyterhub/commit/5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jupyterhub | jupyterhub |
Affected:
>= 1.0.0, < 1.5.0 - jupyterhub (pip)
Affected: < 1.2.0 - jupyterhub (helm) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jupyterhub",
"vendor": "jupyterhub",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.5.0 - jupyterhub (pip)"
},
{
"status": "affected",
"version": "\u003c 1.2.0 - jupyterhub (helm)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. The only workaround is to make sure that only one JupyterLab tab is open when you log out."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-04T17:15:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27"
}
],
"source": {
"advisory": "GHSA-cw7p-q79f-m2v7",
"discovery": "UNKNOWN"
},
"title": "incomplete logout in JupyterHub",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41247",
"STATE": "PUBLIC",
"TITLE": "incomplete logout in JupyterHub"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jupyterhub",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.0.0, \u003c 1.5.0 - jupyterhub (pip)"
},
{
"version_value": "\u003c 1.2.0 - jupyterhub (helm)"
}
]
}
}
]
},
"vendor_name": "jupyterhub"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. The only workaround is to make sure that only one JupyterLab tab is open when you log out."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7",
"refsource": "CONFIRM",
"url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7"
},
{
"name": "https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27",
"refsource": "MISC",
"url": "https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27"
}
]
},
"source": {
"advisory": "GHSA-cw7p-q79f-m2v7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41247",
"datePublished": "2021-11-04T17:15:11.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:08:31.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42545 (GCVE-0-2021-42545)
Vulnerability from cvelistv5 – Published: 2021-11-30 11:28 – Updated: 2024-08-04 03:38
VLAI
Title
Insufficient Session Expiration in TopEase
Summary
An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.
Severity
8.1 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://confluence.topease.ch/confluence/display/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Business-DNA Solutions GmbH | TopEase |
Affected:
unspecified , ≤ 7.1.27
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "TopEase",
"vendor": "Business-DNA Solutions GmbH",
"versions": [
{
"lessThanOrEqual": "7.1.27",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "SIX Group Services AG, Cyber Controls"
}
],
"descriptions": [
{
"lang": "en",
"value": "An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH\u2019s TopEase\u00ae Platform Version \u003c= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-30T11:28:15.000Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Expiration in TopEase",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerability@ncsc.ch",
"ID": "CVE-2021-42545",
"STATE": "PUBLIC",
"TITLE": "Insufficient Session Expiration in TopEase"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "TopEase",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "7.1.27"
}
]
}
}
]
},
"vendor_name": "Business-DNA Solutions GmbH"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "SIX Group Services AG, Cyber Controls"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH\u2019s TopEase\u00ae Platform Version \u003c= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes",
"refsource": "CONFIRM",
"url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2021-42545",
"datePublished": "2021-11-30T11:28:15.000Z",
"dateReserved": "2021-10-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:38:49.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43791 (GCVE-0-2021-43791)
Vulnerability from cvelistv5 – Published: 2021-12-02 00:15 – Updated: 2024-08-04 04:03
VLAI
Title
Ineffective expiration validation for invitation links in Zulip
Summary
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible.
Severity
6.5 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/zulip/zulip/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/zulip/zulip/commit/a014ef75a3a… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zulip/zulip/security/advisories/GHSA-wj76-pcqr-mf9f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zulip/zulip/commit/a014ef75a3a0ed7f24ebb157632ba58751e732c6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zulip",
"vendor": "zulip",
"versions": [
{
"status": "affected",
"version": "\u003c 4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T00:15:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zulip/zulip/security/advisories/GHSA-wj76-pcqr-mf9f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zulip/zulip/commit/a014ef75a3a0ed7f24ebb157632ba58751e732c6"
}
],
"source": {
"advisory": "GHSA-wj76-pcqr-mf9f",
"discovery": "UNKNOWN"
},
"title": "Ineffective expiration validation for invitation links in Zulip",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43791",
"STATE": "PUBLIC",
"TITLE": "Ineffective expiration validation for invitation links in Zulip"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "zulip",
"version": {
"version_data": [
{
"version_value": "\u003c 4.8"
}
]
}
}
]
},
"vendor_name": "zulip"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zulip/zulip/security/advisories/GHSA-wj76-pcqr-mf9f",
"refsource": "CONFIRM",
"url": "https://github.com/zulip/zulip/security/advisories/GHSA-wj76-pcqr-mf9f"
},
{
"name": "https://github.com/zulip/zulip/commit/a014ef75a3a0ed7f24ebb157632ba58751e732c6",
"refsource": "MISC",
"url": "https://github.com/zulip/zulip/commit/a014ef75a3a0ed7f24ebb157632ba58751e732c6"
}
]
},
"source": {
"advisory": "GHSA-wj76-pcqr-mf9f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43791",
"datePublished": "2021-12-02T00:15:11.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:03:08.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46279 (GCVE-0-2021-46279)
Vulnerability from cvelistv5 – Published: 2022-10-24 00:00 – Updated: 2025-05-07 13:43
VLAI
Title
Session Fixation and Insufficient Session Expiration
Summary
Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
Severity
5.8 (Medium)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lanner Inc | IAC-AST2500A |
Affected:
1.10.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:02:11.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories/cve-2021-46279/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-46279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:40:03.764652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:43:25.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IAC-AST2500A",
"vendor": "Lanner Inc",
"versions": [
{
"status": "affected",
"version": "1.10.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andrea Palanca of Nozomi Networks found this bug during a security research activity."
}
],
"descriptions": [
{
"lang": "en",
"value": "Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-01T00:00:00.000Z",
"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c",
"shortName": "Nozomi"
},
"references": [
{
"url": "https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1/"
},
{
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories/cve-2021-46279/"
}
],
"source": {
"advisory": "https://www.nozominetworks.com/labs/vulnerability-advisories/cve-2021-46279/",
"discovery": "EXTERNAL"
},
"title": "Session Fixation and Insufficient Session Expiration",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c",
"assignerShortName": "Nozomi",
"cveId": "CVE-2021-46279",
"datePublished": "2022-10-24T00:00:00.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2025-05-07T13:43:25.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47663 (GCVE-0-2021-47663)
Vulnerability from cvelistv5 – Published: 2025-04-24 09:25 – Updated: 2025-04-24 15:22
VLAI
Title
Improper session handling
Summary
Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access.
Severity
8.1 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Franka Robotics | Franka Emika Robot |
Affected:
0.0.0 , ≤ 4.0.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47663",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T13:46:29.228655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T15:22:23.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Franka Emika Robot",
"vendor": "Franka Robotics",
"versions": [
{
"lessThanOrEqual": "4.0.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Siegfried Hollerer by TU Wien"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper\u0026nbsp;JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access."
}
],
"value": "Due to improper\u00a0JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T09:25:23.807Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.sciencedirect.com/science/article/pii/S2351978921001657"
}
],
"source": {
"defect": [
"CERT@VDE#641761"
],
"discovery": "UNKNOWN"
},
"title": "Improper session handling",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2021-47663",
"datePublished": "2025-04-24T09:25:23.807Z",
"dateReserved": "2025-03-17T08:25:16.736Z",
"dateUpdated": "2025-04-24T15:22:23.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47740 (GCVE-0-2021-47740)
Vulnerability from cvelistv5 – Published: 2025-12-31 18:40 – Updated: 2026-01-02 20:42
VLAI
Title
KZTech JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration Vulnerability
Summary
KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | third-party-advisory |
| https://packetstormsecurity.com/files/161892/ | exploit |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
| http://www.kzbtech.com/ | product |
| https://www.jatontech.com/ | product |
| https://neotel.mk/ | product |
| https://www.vulncheck.com/advisories/kztech-jtv-g… | third-party-advisory |
Impacted products
15 products
| Vendor | Product | Version | |
|---|---|---|---|
| KZ Broadband Technologies, Ltd. | JT3500V |
Affected:
2.0.1B1064
Affected: 2.0.1B1047 |
|
| KZ Broadband Technologies, Ltd. | AM6200M |
Affected:
2.0.0B3210
|
|
| KZ Broadband Technologies, Ltd. | AM6000N |
Affected:
2.0.0B3042
|
|
| KZ Broadband Technologies, Ltd. | AM5000W |
Affected:
2.0.0B3037
|
|
| KZ Broadband Technologies, Ltd. | AM4200M |
Affected:
2.0.0B2996
|
|
| KZ Broadband Technologies, Ltd. | AM4100V |
Affected:
2.0.0B2988
|
|
| KZ Broadband Technologies, Ltd. | AM3500MW |
Affected:
2.0.0B1092
|
|
| KZ Broadband Technologies, Ltd. | AM3410V |
Affected:
2.0.0B1085
|
|
| KZ Broadband Technologies, Ltd. | AM3300V |
Affected:
2.0.0B1060
|
|
| KZ Broadband Technologies, Ltd. | AM3100E |
Affected:
2.0.0B981
|
|
| KZ Broadband Technologies, Ltd. | AM3100V |
Affected:
2.0.0B946
|
|
| KZ Broadband Technologies, Ltd. | AM3000M |
Affected:
2.0.0B21
|
|
| KZ Broadband Technologies, Ltd. | KZ7621U |
Affected:
2.0.0B14
|
|
| KZ Broadband Technologies, Ltd. | KZ3220M |
Affected:
2.0.0B04
|
|
| KZ Broadband Technologies, Ltd. | KZ3120R |
Affected:
2.0.0B01
|
Date Public
2021-03-18 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47740",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-02T20:42:28.575250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T20:42:41.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "JT3500V",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.1B1064"
},
{
"status": "affected",
"version": "2.0.1B1047"
}
]
},
{
"product": "AM6200M",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B3210"
}
]
},
{
"product": "AM6000N",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B3042"
}
]
},
{
"product": "AM5000W",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B3037"
}
]
},
{
"product": "AM4200M",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B2996"
}
]
},
{
"product": "AM4100V",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B2988"
}
]
},
{
"product": "AM3500MW",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B1092"
}
]
},
{
"product": "AM3410V",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B1085"
}
]
},
{
"product": "AM3300V",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B1060"
}
]
},
{
"product": "AM3100E",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B981"
}
]
},
{
"product": "AM3100V",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B946"
}
]
},
{
"product": "AM3000M",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B21"
}
]
},
{
"product": "KZ7621U",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B14"
}
]
},
{
"product": "KZ3220M",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B04"
}
]
},
{
"product": "KZ3120R",
"vendor": "KZ Broadband Technologies, Ltd.",
"versions": [
{
"status": "affected",
"version": "2.0.0B01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
}
],
"datePublic": "2021-03-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-31T18:40:53.590Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Zero Science Lab Disclosure (ZSL-2021-5646)",
"tags": [
"third-party-advisory"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5646.php"
},
{
"name": "Packet Storm Security Exploit Entry",
"tags": [
"exploit"
],
"url": "https://packetstormsecurity.com/files/161892/"
},
{
"name": "IBM X-Force Vulnerability Exchange Entry",
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198471"
},
{
"name": "KZ TECH Vendor Homepage",
"tags": [
"product"
],
"url": "http://www.kzbtech.com/"
},
{
"name": "JATON TEC Homepage",
"tags": [
"product"
],
"url": "https://www.jatontech.com/"
},
{
"name": "Neotel Vendor Homepage",
"tags": [
"product"
],
"url": "https://neotel.mk/"
},
{
"name": "VulnCheck Advisory: KZTech JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration Vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/kztech-jtv-g-lte-cpe-insufficient-session-expiration-vulnerability"
}
],
"title": "KZTech JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration Vulnerability",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47740",
"datePublished": "2025-12-31T18:40:53.590Z",
"dateReserved": "2025-12-23T13:24:04.581Z",
"dateUpdated": "2026-01-02T20:42:41.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0991 (GCVE-0-2022-0991)
Vulnerability from cvelistv5 – Published: 2022-03-19 07:35 – Updated: 2024-08-02 23:47
VLAI
Title
Insufficient Session Expiration in admidio/admidio
Summary
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.
Severity
8.2 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/1c406a4e-15d0-4920-849… | x_refsource_CONFIRM |
| https://github.com/admidio/admidio/commit/e84e472… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| admidio | admidio/admidio |
Affected:
unspecified , < 4.1.9
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1c406a4e-15d0-4920-8495-731c48473ba4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/admidio/admidio/commit/e84e472ebe517e2ff5795c46dc10b5f49dc4d46a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "admidio/admidio",
"vendor": "admidio",
"versions": [
{
"lessThan": "4.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-19T07:35:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1c406a4e-15d0-4920-8495-731c48473ba4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/admidio/admidio/commit/e84e472ebe517e2ff5795c46dc10b5f49dc4d46a"
}
],
"source": {
"advisory": "1c406a4e-15d0-4920-8495-731c48473ba4",
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Expiration in admidio/admidio",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0991",
"STATE": "PUBLIC",
"TITLE": "Insufficient Session Expiration in admidio/admidio"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "admidio/admidio",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.1.9"
}
]
}
}
]
},
"vendor_name": "admidio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/1c406a4e-15d0-4920-8495-731c48473ba4",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1c406a4e-15d0-4920-8495-731c48473ba4"
},
{
"name": "https://github.com/admidio/admidio/commit/e84e472ebe517e2ff5795c46dc10b5f49dc4d46a",
"refsource": "MISC",
"url": "https://github.com/admidio/admidio/commit/e84e472ebe517e2ff5795c46dc10b5f49dc4d46a"
}
]
},
"source": {
"advisory": "1c406a4e-15d0-4920-8495-731c48473ba4",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0991",
"datePublished": "2022-03-19T07:35:09.000Z",
"dateReserved": "2022-03-15T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:47:42.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2064 (GCVE-0-2022-2064)
Vulnerability from cvelistv5 – Published: 2022-06-13 11:45 – Updated: 2024-08-03 00:24
VLAI
Title
Insufficient Session Expiration in nocodb/nocodb
Summary
Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.
Severity
9.1 (Critical)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/39523d51-fc5c-48b8-a08… | x_refsource_CONFIRM |
| https://github.com/nocodb/nocodb/commit/c9b5111b2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nocodb | nocodb/nocodb |
Affected:
unspecified , < 0.91.7+
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nocodb/nocodb",
"vendor": "nocodb",
"versions": [
{
"lessThan": "0.91.7+",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T11:45:15.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b"
}
],
"source": {
"advisory": "39523d51-fc5c-48b8-a082-171da79761bb",
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Expiration in nocodb/nocodb",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2064",
"STATE": "PUBLIC",
"TITLE": "Insufficient Session Expiration in nocodb/nocodb"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nocodb/nocodb",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.91.7+"
}
]
}
}
]
},
"vendor_name": "nocodb"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb"
},
{
"name": "https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b",
"refsource": "MISC",
"url": "https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b"
}
]
},
"source": {
"advisory": "39523d51-fc5c-48b8-a082-171da79761bb",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2064",
"datePublished": "2022-06-13T11:45:15.000Z",
"dateReserved": "2022-06-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:44.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21652 (GCVE-0-2022-21652)
Vulnerability from cvelistv5 – Published: 2022-01-05 19:20 – Updated: 2025-04-23 19:14
VLAI
Title
Insufficient Session Expiration in shopware
Summary
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://docs.shopware.com/en/shopware-5-en/securi… | x_refsource_MISC |
| https://github.com/shopware/shopware/security/adv… | x_refsource_CONFIRM |
| https://github.com/shopware/shopware/commit/47ebd… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:46:39.393Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:12:32.187335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:14:34.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shopware",
"vendor": "shopware",
"versions": [
{
"status": "affected",
"version": "\u003e=5.7.3, \u003c 5.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can\u0027t be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-05T19:20:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0"
}
],
"source": {
"advisory": "GHSA-p523-jrph-qjc6",
"discovery": "UNKNOWN"
},
"title": "Insufficient Session Expiration in shopware",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21652",
"STATE": "PUBLIC",
"TITLE": "Insufficient Session Expiration in shopware"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "shopware",
"version": {
"version_data": [
{
"version_value": "\u003e=5.7.3, \u003c 5.7.7"
}
]
}
}
]
},
"vendor_name": "shopware"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can\u0027t be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022",
"refsource": "MISC",
"url": "https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022"
},
{
"name": "https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6",
"refsource": "CONFIRM",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6"
},
{
"name": "https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0",
"refsource": "MISC",
"url": "https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0"
}
]
},
"source": {
"advisory": "GHSA-p523-jrph-qjc6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21652",
"datePublished": "2022-01-05T19:20:18.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:14:34.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.