CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CVE-2022-2888 (GCVE-0-2022-2888)
Vulnerability from cvelistv5 – Published: 2022-09-21 11:25 – Updated: 2025-05-28 15:22
VLAI
Title
Insufficient Session Expiration in octoprint/octoprint
Summary
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.
Severity
4.4 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/d27d232b-2578-4b32-b3b… | x_refsource_CONFIRM |
| https://github.com/octoprint/octoprint/commit/40e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| octoprint | octoprint/octoprint |
Affected:
unspecified , < 1.8.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T15:22:05.235332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T15:22:09.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "octoprint/octoprint",
"vendor": "octoprint",
"versions": [
{
"lessThan": "1.8.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "If an attacker comes into the possession of a victim\u0027s OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim\u0027s account exists."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-21T11:25:08.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4"
}
],
"source": {
"advisory": "d27d232b-2578-4b32-b3b4-74aabdadf629",
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Expiration in octoprint/octoprint",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2888",
"STATE": "PUBLIC",
"TITLE": "Insufficient Session Expiration in octoprint/octoprint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octoprint/octoprint",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.8.3"
}
]
}
}
]
},
"vendor_name": "octoprint"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If an attacker comes into the possession of a victim\u0027s OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim\u0027s account exists."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629"
},
{
"name": "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4",
"refsource": "MISC",
"url": "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4"
}
]
},
"source": {
"advisory": "d27d232b-2578-4b32-b3b4-74aabdadf629",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2888",
"datePublished": "2022-09-21T11:25:08.000Z",
"dateReserved": "2022-08-18T00:00:00.000Z",
"dateUpdated": "2025-05-28T15:22:09.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30277 (GCVE-0-2022-30277)
Vulnerability from cvelistv5 – Published: 2022-06-01 16:38 – Updated: 2024-09-16 17:43
VLAI
Title
BD Synapsys™ – Insufficient Session Expiration
Summary
BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).
Severity
5.7 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cybersecurity.bd.com/bulletins-and-patche… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Becton Dickinson (BD) | BD Synapsys™ |
Affected:
4.20 , ≤ 4.30
(custom)
|
Date Public
2022-05-31 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:36.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Synapsys\u2122",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "4.20",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys\u2122 workstation."
}
],
"datePublic": "2022-05-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "BD Synapsys\u2122, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T16:38:50.000Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
],
"solutions": [
{
"lang": "en",
"value": "BD Synapsys\u2122 v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys\u2122 v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Synapsys\u2122 \u2013 Insufficient Session Expiration",
"workarounds": [
{
"lang": "en",
"value": "Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys\u2122. \n\nEnsure physical access controls are in place and only authorized end-users have access to BD Synapsys\u2122 workstations. \n\nPlace a reminder at each computer for users to logout when leaving the BD Synapsys\u2122 workstation. \n\nEnsure industry standard network security policies and procedures are followed."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-05-31T15:00:00.000Z",
"ID": "CVE-2022-30277",
"STATE": "PUBLIC",
"TITLE": "BD Synapsys\u2122 \u2013 Insufficient Session Expiration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Synapsys\u2122",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.20",
"version_value": "4.30"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys\u2122 workstation."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BD Synapsys\u2122, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
]
},
"solution": [
{
"lang": "en",
"value": "BD Synapsys\u2122 v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys\u2122 v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys\u2122. \n\nEnsure physical access controls are in place and only authorized end-users have access to BD Synapsys\u2122 workstations. \n\nPlace a reminder at each computer for users to logout when leaving the BD Synapsys\u2122 workstation. \n\nEnsure industry standard network security policies and procedures are followed."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-30277",
"datePublished": "2022-06-01T16:38:50.425Z",
"dateReserved": "2022-05-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:43:27.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31050 (GCVE-0-2022-31050)
Vulnerability from cvelistv5 – Published: 2022-06-14 20:55 – Updated: 2025-04-23 18:15
VLAI
Title
Insufficient Session Expiration in TYPO3 Admin Tool
Summary
TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.
Severity
6 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/TYPO3/typo3/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/TYPO3/typo3/commit/59238797291… | x_refsource_MISC |
| https://typo3.org/security/advisory/typo3-core-sa… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://typo3.org/security/advisory/typo3-core-sa-2022-005"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31050",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:05:13.509386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:15:18.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "typo3",
"vendor": "TYPO3",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.5.34"
},
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.4.29"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-14T20:55:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://typo3.org/security/advisory/typo3-core-sa-2022-005"
}
],
"source": {
"advisory": "GHSA-wwjw-r3gj-39fq",
"discovery": "UNKNOWN"
},
"title": "Insufficient Session Expiration in TYPO3 Admin Tool",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31050",
"STATE": "PUBLIC",
"TITLE": "Insufficient Session Expiration in TYPO3 Admin Tool"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "typo3",
"version": {
"version_data": [
{
"version_value": "\u003e= 9.0.0, \u003c 9.5.34"
},
{
"version_value": "\u003e= 10.0.0, \u003c 10.4.29"
},
{
"version_value": "\u003e= 11.0.0, \u003c 11.5.11"
}
]
}
}
]
},
"vendor_name": "TYPO3"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq",
"refsource": "CONFIRM",
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq"
},
{
"name": "https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d",
"refsource": "MISC",
"url": "https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d"
},
{
"name": "https://typo3.org/security/advisory/typo3-core-sa-2022-005",
"refsource": "MISC",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2022-005"
}
]
},
"source": {
"advisory": "GHSA-wwjw-r3gj-39fq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31050",
"datePublished": "2022-06-14T20:55:11.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:15:18.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31145 (GCVE-0-2022-31145)
Vulnerability from cvelistv5 – Published: 2022-07-13 20:30 – Updated: 2025-04-23 18:02
VLAI
Title
Insufficient AccessToken Expiration Check in FlyteAdmin
Summary
FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet.
Severity
6.5 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/flyteorg/flyteadmin/security/a… | x_refsource_CONFIRM |
| https://github.com/flyteorg/flyteadmin/pull/455 | x_refsource_MISC |
| https://github.com/flyteorg/flyteadmin/commit/a1e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| flyteorg | flyteadmin |
Affected:
<= 1.1.30
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/flyteorg/flyteadmin/pull/455"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:03:21.661256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:02:22.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "flyteadmin",
"vendor": "flyteorg",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.1.30"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-13T20:30:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/flyteorg/flyteadmin/pull/455"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a"
}
],
"source": {
"advisory": "GHSA-qwrj-9hmp-gpxh",
"discovery": "UNKNOWN"
},
"title": "Insufficient AccessToken Expiration Check in FlyteAdmin",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31145",
"STATE": "PUBLIC",
"TITLE": "Insufficient AccessToken Expiration Check in FlyteAdmin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flyteadmin",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.1.30"
}
]
}
}
]
},
"vendor_name": "flyteorg"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh",
"refsource": "CONFIRM",
"url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh"
},
{
"name": "https://github.com/flyteorg/flyteadmin/pull/455",
"refsource": "MISC",
"url": "https://github.com/flyteorg/flyteadmin/pull/455"
},
{
"name": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a",
"refsource": "MISC",
"url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a"
}
]
},
"source": {
"advisory": "GHSA-qwrj-9hmp-gpxh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31145",
"datePublished": "2022-07-13T20:30:12.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:02:22.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32759 (GCVE-0-2022-32759)
Vulnerability from cvelistv5 – Published: 2024-07-25 17:11 – Updated: 2024-08-03 07:46
VLAI
Title
IBM Security Directory Server information disclosure
Summary
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565.
Severity
5.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7161446 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Security Directory Integrator |
Affected:
7.2.0
cpe:2.3:a:ibm:security_verify_directory:10.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:security_directory_integrator:7.2.0:*:*:*:*:*:*:* |
|
| IBM | Security Verify Directory Integrator |
Affected:
10.0.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-32759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T14:51:28.734617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T14:52:31.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:46:44.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7161446"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228565"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:security_verify_directory:10.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:security_directory_integrator:7.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Security Directory Integrator",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "7.2.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Security Verify Directory Integrator",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, Ben Goodspeed"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565."
}
],
"value": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T17:11:44.253Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7161446"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228565"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Security Directory Server information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-32759",
"datePublished": "2024-07-25T17:11:44.253Z",
"dateReserved": "2022-06-09T15:49:18.233Z",
"dateUpdated": "2024-08-03T07:46:44.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33137 (GCVE-0-2022-33137)
Vulnerability from cvelistv5 – Published: 2022-07-12 10:06 – Updated: 2024-08-03 08:01
VLAI
Summary
A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.
Severity
No CVSS data available.
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_MISC |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | SIMATIC MV540 H |
Affected:
All versions < V3.3
|
|
| Siemens | SIMATIC MV540 S |
Affected:
All versions < V3.3
|
|
| Siemens | SIMATIC MV550 H |
Affected:
All versions < V3.3
|
|
| Siemens | SIMATIC MV550 S |
Affected:
All versions < V3.3
|
|
| Siemens | SIMATIC MV560 U |
Affected:
All versions < V3.3
|
|
| Siemens | SIMATIC MV560 X |
Affected:
All versions < V3.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:19.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SIMATIC MV540 H",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3"
}
]
},
{
"product": "SIMATIC MV540 S",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3"
}
]
},
{
"product": "SIMATIC MV550 H",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3"
}
]
},
{
"product": "SIMATIC MV550 S",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3"
}
]
},
{
"product": "SIMATIC MV560 U",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3"
}
]
},
{
"product": "SIMATIC MV560 X",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SIMATIC MV540 H (All versions \u003c V3.3), SIMATIC MV540 S (All versions \u003c V3.3), SIMATIC MV550 H (All versions \u003c V3.3), SIMATIC MV550 S (All versions \u003c V3.3), SIMATIC MV560 U (All versions \u003c V3.3), SIMATIC MV560 X (All versions \u003c V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users\u0027 sessions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-12T10:06:44.000Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2022-33137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SIMATIC MV540 H",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.3"
}
]
}
},
{
"product_name": "SIMATIC MV540 S",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.3"
}
]
}
},
{
"product_name": "SIMATIC MV550 H",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.3"
}
]
}
},
{
"product_name": "SIMATIC MV550 S",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.3"
}
]
}
},
{
"product_name": "SIMATIC MV560 U",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.3"
}
]
}
},
{
"product_name": "SIMATIC MV560 X",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.3"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in SIMATIC MV540 H (All versions \u003c V3.3), SIMATIC MV540 S (All versions \u003c V3.3), SIMATIC MV550 H (All versions \u003c V3.3), SIMATIC MV550 S (All versions \u003c V3.3), SIMATIC MV560 U (All versions \u003c V3.3), SIMATIC MV560 X (All versions \u003c V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users\u0027 sessions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-33137",
"datePublished": "2022-07-12T10:06:44.000Z",
"dateReserved": "2022-06-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T08:01:19.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3362 (GCVE-0-2022-3362)
Vulnerability from cvelistv5 – Published: 2022-11-14 00:00 – Updated: 2025-04-30 17:48
VLAI
Title
Insufficient Session Expiration in ikus060/rdiffweb
Summary
Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.
Severity
6.1 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ikus060 | ikus060/rdiffweb |
Affected:
unspecified , < 2.5.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/ca428c31-858d-47fa-adc9-2a59f8e8b2b1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ikus060/rdiffweb/commit/6efb995bc32c8a8e9ad755eb813dec991dffb2b8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3362",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T17:48:18.272596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T17:48:44.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ikus060/rdiffweb",
"vendor": "ikus060",
"versions": [
{
"lessThan": "2.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-14T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/ca428c31-858d-47fa-adc9-2a59f8e8b2b1"
},
{
"url": "https://github.com/ikus060/rdiffweb/commit/6efb995bc32c8a8e9ad755eb813dec991dffb2b8"
}
],
"source": {
"advisory": "ca428c31-858d-47fa-adc9-2a59f8e8b2b1",
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Expiration in ikus060/rdiffweb"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3362",
"datePublished": "2022-11-14T00:00:00.000Z",
"dateReserved": "2022-09-29T00:00:00.000Z",
"dateUpdated": "2025-04-30T17:48:44.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34392 (GCVE-0-2022-34392)
Vulnerability from cvelistv5 – Published: 2023-02-10 20:26 – Updated: 2025-03-26 15:19
VLAI
Summary
SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.
Severity
5.5 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/000204114 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | SupportAssist |
Affected:
0 , ≤ 3.11.4
(custom)
|
Date Public
2022-10-12 16:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:07:16.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/000204114"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-34392",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T14:35:44.127545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:19:54.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportAssist",
"vendor": "Dell",
"versions": [
{
"lessThanOrEqual": "3.11.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-10-12T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cdiv\u003e\u003cdiv\u003eSupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.\u003c/div\u003e\u003c/div\u003e\n\n"
}
],
"value": "\nSupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.\n\n\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-10T20:26:21.460Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/000204114"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2022-34392",
"datePublished": "2023-02-10T20:26:21.460Z",
"dateReserved": "2022-06-23T18:55:17.093Z",
"dateUpdated": "2025-03-26T15:19:54.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35728 (GCVE-0-2022-35728)
Vulnerability from cvelistv5 – Published: 2022-08-04 17:49 – Updated: 2024-09-16 16:42
VLAI
Title
iControl REST vulnerability CVE-2022-35728
Summary
In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity
8.1 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://support.f5.com/csp/article/K55580033 | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | BIG-IP |
Affected:
13.1.0 , < 13.1.x*
(custom)
Affected: 14.1.x , < 14.1.5.1 (custom) Affected: 15.1.x , < 15.1.6.1 (custom) Affected: 16.1.x , < 16.1.3.1 (custom) Affected: 17.0.x , < 17.0.0.1 (custom) |
|
| F5 | BIG-IQ Centralized Management |
Affected:
8.0.x , < 8.2.0
(custom)
Affected: 7.0.0 , < 7.x* (custom) |
Date Public
2022-08-03 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:21.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K55580033"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "13.1.x*",
"status": "affected",
"version": "13.1.0",
"versionType": "custom"
},
{
"lessThan": "14.1.5.1",
"status": "affected",
"version": "14.1.x",
"versionType": "custom"
},
{
"lessThan": "15.1.6.1",
"status": "affected",
"version": "15.1.x",
"versionType": "custom"
},
{
"lessThan": "16.1.3.1",
"status": "affected",
"version": "16.1.x",
"versionType": "custom"
},
{
"lessThan": "17.0.0.1",
"status": "affected",
"version": "17.0.x",
"versionType": "custom"
}
]
},
{
"product": "BIG-IQ Centralized Management",
"vendor": "F5",
"versions": [
{
"lessThan": "8.2.0",
"status": "affected",
"version": "8.0.x",
"versionType": "custom"
},
{
"lessThan": "7.x*",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "F5 acknowledges BELARCHAOUI Youcef of ELIT / El Djazair Information Technology for bringing this issue to our attention and following the highest standards of coordinated disclosure."
}
],
"datePublic": "2022-08-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user\u0027s iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T17:49:50.000Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K55580033"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "iControl REST vulnerability CVE-2022-35728",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"DATE_PUBLIC": "2022-08-03T14:00:00.000Z",
"ID": "CVE-2022-35728",
"STATE": "PUBLIC",
"TITLE": "iControl REST vulnerability CVE-2022-35728"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BIG-IP",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "13.1.x",
"version_value": "13.1.0"
},
{
"version_affected": "\u003c",
"version_name": "14.1.x",
"version_value": "14.1.5.1"
},
{
"version_affected": "\u003c",
"version_name": "15.1.x",
"version_value": "15.1.6.1"
},
{
"version_affected": "\u003c",
"version_name": "16.1.x",
"version_value": "16.1.3.1"
},
{
"version_affected": "\u003c",
"version_name": "17.0.x",
"version_value": "17.0.0.1"
}
]
}
},
{
"product_name": "BIG-IQ Centralized Management",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.0.x",
"version_value": "8.2.0"
},
{
"version_affected": "\u003e=",
"version_name": "7.x",
"version_value": "7.0.0"
}
]
}
}
]
},
"vendor_name": "F5"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "F5 acknowledges BELARCHAOUI Youcef of ELIT / El Djazair Information Technology for bringing this issue to our attention and following the highest standards of coordinated disclosure."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user\u0027s iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K55580033",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K55580033"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2022-35728",
"datePublished": "2022-08-04T17:49:50.388Z",
"dateReserved": "2022-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:42:29.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38382 (GCVE-0-2022-38382)
Vulnerability from cvelistv5 – Published: 2024-08-13 01:01 – Updated: 2024-09-21 09:50
VLAI
Title
IBM Cloud Pak for Security session fixation
Summary
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. IBM X-Force ID: 233672.
Severity
4.7 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7165286 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | QRadar Suite Software |
Affected:
1.10.12.0 , ≤ 1.10.23.0
(semver)
cpe:2.3:a:ibm:qradar_suite:1.10.12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:qradar_suite:1.10.23.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_security:1.10.11.0:*:*:*:*:*:*:* |
|
| IBM | Cloud Pak for Security |
Affected:
1.10.0.0 , ≤ 1.10.11.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-13T19:02:36.193272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T19:03:01.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:qradar_suite:1.10.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:qradar_suite:1.10.23.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_security:1.10.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "QRadar Suite Software",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.10.23.0",
"status": "affected",
"version": "1.10.12.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud Pak for Security",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.10.11.0",
"status": "affected",
"version": "1.10.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. IBM X-Force ID: 233672."
}
],
"value": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. IBM X-Force ID: 233672."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-21T09:50:16.866Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7165286"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233672"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cloud Pak for Security session fixation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-38382",
"datePublished": "2024-08-13T01:01:33.992Z",
"dateReserved": "2022-08-16T18:42:49.431Z",
"dateUpdated": "2024-09-21T09:50:16.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.