CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CVE-2022-3867 (GCVE-0-2022-3867)
Vulnerability from cvelistv5 – Published: 2022-11-10 05:45 – Updated: 2025-05-01 19:04
VLAI
Title
Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected
Summary
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| HashiCorp | Nomad |
Affected:
1.4.0
Affected: 1.4.1 |
|
| HashiCorp | Nomad Enterprise |
Affected:
1.4.0
Affected: 1.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://discuss.hashicorp.com/t/hcsec-2022-26-nomad-s-event-stream-subscriber-using-acl-token-with-ttl-receive-updates-until-garbage-collected/46168"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T19:03:58.553932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T19:04:09.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit",
"32 bit",
"x86",
"ARM",
"MacOS",
"Windows",
"Linux"
],
"product": "Nomad",
"repo": "https://github.com/hashicorp/nomad",
"vendor": "HashiCorp",
"versions": [
{
"status": "affected",
"version": "1.4.0"
},
{
"status": "affected",
"version": "1.4.1"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit",
"32 bit",
"x86",
"ARM",
"MacOS",
"Windows",
"Linux"
],
"product": "Nomad Enterprise",
"vendor": "HashiCorp",
"versions": [
{
"status": "affected",
"version": "1.4.0"
},
{
"status": "affected",
"version": "1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2."
}
],
"value": "HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T05:45:53.550Z",
"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
"shortName": "HashiCorp"
},
"references": [
{
"url": "https://discuss.hashicorp.com/t/hcsec-2022-26-nomad-s-event-stream-subscriber-using-acl-token-with-ttl-receive-updates-until-garbage-collected/46168"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected"
}
},
"cveMetadata": {
"assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
"assignerShortName": "HashiCorp",
"cveId": "CVE-2022-3867",
"datePublished": "2022-11-10T05:45:53.550Z",
"dateReserved": "2022-11-04T22:54:20.822Z",
"dateUpdated": "2025-05-01T19:04:09.365Z",
"requesterUserId": "5311d85b-fc2e-473d-9ddd-71031e52448b",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38707 (GCVE-0-2022-38707)
Vulnerability from cvelistv5 – Published: 2023-05-05 13:54 – Updated: 2025-01-29 16:56
VLAI
Title
IBM Cognos Command Center information disclosure
Summary
IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179.
Severity
4 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/6983274 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cognos Command Center |
Affected:
10.2.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:02:14.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6983274"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/234179"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T16:55:58.091573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T16:56:04.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cognos Command Center",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.2.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179."
}
],
"value": "IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-05T13:54:45.562Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/6983274"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/234179"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Command Center information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-38707",
"datePublished": "2023-05-05T13:54:45.562Z",
"dateReserved": "2022-08-23T16:35:16.509Z",
"dateUpdated": "2025-01-29T16:56:04.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39234 (GCVE-0-2022-39234)
Vulnerability from cvelistv5 – Published: 2022-11-03 00:00 – Updated: 2025-04-23 16:41
VLAI
Title
user session persists even after permanently deleting account in GLPI
Summary
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.
Severity
4.7 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi |
Affected:
< 10.0.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-pgcx-mc58-3gmg"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39234",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:55:21.543145Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:41:28.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003c 10.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-03T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-pgcx-mc58-3gmg"
}
],
"source": {
"advisory": "GHSA-pgcx-mc58-3gmg",
"discovery": "UNKNOWN"
},
"title": "user session persists even after permanently deleting account in GLPI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39234",
"datePublished": "2022-11-03T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:41:28.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40228 (GCVE-0-2022-40228)
Vulnerability from cvelistv5 – Published: 2022-11-22 18:52 – Updated: 2025-04-25 19:56
VLAI
Title
IBM DataPower Gateway session fixation
Summary
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/6840759 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
10.0.3.0 , < 10.0.4.0
(semver)
Affected: 10.0.1.0 , < 10.0.1.9 (semver) Affected: 2018.4.1.0 , < 2018.4.1.22 (semver) Affected: 10.5.0.0 , < 10.5.0.2 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6840759"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/235527"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T19:56:47.775668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T19:56:58.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"lessThan": "10.0.4.0",
"status": "affected",
"version": "10.0.3.0",
"versionType": "semver"
},
{
"lessThan": "10.0.1.9",
"status": "affected",
"version": "10.0.1.0",
"versionType": "semver"
},
{
"lessThan": "2018.4.1.22",
"status": "affected",
"version": "2018.4.1.0",
"versionType": "semver"
},
{
"lessThan": "10.5.0.2",
"status": "affected",
"version": "10.5.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003e\n\n\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003eIBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "\n\n\nIBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-22T18:52:13.196Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/6840759"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/235527"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM DataPower Gateway session fixation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-40228",
"datePublished": "2022-11-22T18:52:13.196Z",
"dateReserved": "2022-09-08T15:59:19.267Z",
"dateUpdated": "2025-04-25T19:56:58.200Z",
"requesterUserId": "69938c14-a5a2-41ac-a450-71ed41911136",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4070 (GCVE-0-2022-4070)
Vulnerability from cvelistv5 – Published: 2022-11-20 00:00 – Updated: 2025-04-14 18:16
VLAI
Title
Insufficient Session Expiration in librenms/librenms
Summary
Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| librenms | librenms/librenms |
Affected:
unspecified , < 22.10.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/72d426bb-b56e-4534-88ba-0d11381b0775"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/librenms/librenms/commit/ce8e5f3d056829bfa7a845f9dc2757e21e419ddc"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4070",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T18:14:00.753976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T18:16:21.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "librenms/librenms",
"vendor": "librenms",
"versions": [
{
"lessThan": "22.10.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-20T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/72d426bb-b56e-4534-88ba-0d11381b0775"
},
{
"url": "https://github.com/librenms/librenms/commit/ce8e5f3d056829bfa7a845f9dc2757e21e419ddc"
}
],
"source": {
"advisory": "72d426bb-b56e-4534-88ba-0d11381b0775",
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Expiration in librenms/librenms"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-4070",
"datePublished": "2022-11-20T00:00:00.000Z",
"dateReserved": "2022-11-20T00:00:00.000Z",
"dateUpdated": "2025-04-14T18:16:21.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41672 (GCVE-0-2022-41672)
Vulnerability from cvelistv5 – Published: 2022-10-07 00:00 – Updated: 2024-08-03 12:49
VLAI
Title
Session still functional after user is deactivated
Summary
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
Severity
No CVSS data available.
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow |
Affected:
unspecified , ≤ 2.4.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/26635"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Airflow",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Apache Airflow PMC would like to thank Axel Chong (@Haxatron) for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn\u0027t prevent an already authenticated user from being able to continue using the UI or API."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-20T13:11:29.772Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://github.com/apache/airflow/pull/26635"
},
{
"url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Session still functional after user is deactivated",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-41672",
"datePublished": "2022-10-07T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:49:43.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43844 (GCVE-0-2022-43844)
Vulnerability from cvelistv5 – Published: 2023-01-05 17:19 – Updated: 2025-04-10 14:09
VLAI
Title
IBM Robotic Process Automation for Cloud Pak session fixation
Summary
IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081.
Severity
8.8 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/6852663 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Robotic Process Automation for Cloud Pak |
Affected:
20.12 , < 21.0.3
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6852663"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/239081"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43844",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:09:12.506549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:09:38.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Robotic Process Automation for Cloud Pak",
"vendor": "IBM",
"versions": [
{
"lessThan": "21.0.3",
"status": "affected",
"version": "20.12",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081."
}
],
"value": "IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-05T17:19:27.774Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/6852663"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/239081"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Robotic Process Automation for Cloud Pak session fixation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-43844",
"datePublished": "2023-01-05T17:19:27.774Z",
"dateReserved": "2022-10-26T15:46:22.820Z",
"dateUpdated": "2025-04-10T14:09:38.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45862 (GCVE-0-2022-45862)
Vulnerability from cvelistv5 – Published: 2024-08-13 15:51 – Updated: 2024-08-13 17:32
VLAI
Summary
An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.
Severity
CWE
- CWE-613 - Improper access control
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiPAM |
Affected:
1.3.0
Affected: 1.2.0 Affected: 1.1.0 , ≤ 1.1.2 (semver) Affected: 1.0.0 , ≤ 1.0.3 (semver) |
|
| Fortinet | FortiProxy |
Affected:
7.2.0 , ≤ 7.2.11
(semver)
Affected: 7.0.0 , ≤ 7.0.18 (semver) |
|
| Fortinet | FortiOS |
Affected:
7.2.0 , ≤ 7.2.5
(semver)
Affected: 7.0.0 , ≤ 7.0.7 (semver) Affected: 6.4.0 , ≤ 6.4.11 (semver) |
|
| Fortinet | FortiSwitchManager |
Affected:
7.2.0 , ≤ 7.2.1
(semver)
Affected: 7.0.0 , ≤ 7.0.2 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-13T17:32:08.496052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T17:32:25.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FortiPAM",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "1.3.0"
},
{
"status": "affected",
"version": "1.2.0"
},
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.0.3",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "FortiProxy",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.2.11",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.18",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "FortiOS",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.2.5",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.7",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.11",
"status": "affected",
"version": "6.4.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "FortiSwitchManager",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.2.1",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.2",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Improper access control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T15:51:57.147Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-22-445",
"url": "https://fortiguard.com/psirt/FG-IR-22-445"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiOS version 7.4.0 or above \nPlease upgrade to FortiOS version 7.2.6 or above \nPlease upgrade to FortiPAM version 1.4.0 or above \nPlease upgrade to FortiProxy version 7.4.0 or above \nPlease upgrade to FortiSwitchManager version 7.2.2 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2022-45862",
"datePublished": "2024-08-13T15:51:57.147Z",
"dateReserved": "2022-11-23T14:57:05.613Z",
"dateUpdated": "2024-08-13T17:32:25.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46177 (GCVE-0-2022-46177)
Vulnerability from cvelistv5 – Published: 2023-01-05 19:48 – Updated: 2025-03-10 21:31
VLAI
Title
Discourse password reset link can lead to in account takeover if user changes to a new email
Summary
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed.
Severity
5.7 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/4bf… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/839… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-5www-jxvf-vrc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-5www-jxvf-vrc3"
},
{
"name": "https://github.com/discourse/discourse/commit/4bf306f0e3bf54a9ef9c5886bf1cfb85c20da570",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/commit/4bf306f0e3bf54a9ef9c5886bf1cfb85c20da570"
},
{
"name": "https://github.com/discourse/discourse/commit/83944213b2b2454af80d0407f60d67641b1f0b38",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/commit/83944213b2b2454af80d0407f60d67641b1f0b38"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:54.522300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:31:57.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.14"
},
{
"status": "affected",
"version": "\u003e= 2.9.0.beta0, \u003c 3.0.0.beta16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account\u0027s primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-05T19:48:05.483Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-5www-jxvf-vrc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-5www-jxvf-vrc3"
},
{
"name": "https://github.com/discourse/discourse/commit/4bf306f0e3bf54a9ef9c5886bf1cfb85c20da570",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/4bf306f0e3bf54a9ef9c5886bf1cfb85c20da570"
},
{
"name": "https://github.com/discourse/discourse/commit/83944213b2b2454af80d0407f60d67641b1f0b38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/83944213b2b2454af80d0407f60d67641b1f0b38"
}
],
"source": {
"advisory": "GHSA-5www-jxvf-vrc3",
"discovery": "UNKNOWN"
},
"title": "Discourse password reset link can lead to in account takeover if user changes to a new email"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46177",
"datePublished": "2023-01-05T19:48:05.483Z",
"dateReserved": "2022-11-28T17:27:19.999Z",
"dateUpdated": "2025-03-10T21:31:57.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-48317 (GCVE-0-2022-48317)
Vulnerability from cvelistv5 – Published: 2023-02-20 16:55 – Updated: 2025-03-12 18:12
VLAI
Title
Insecure Termination of RestAPI Session Tokens
Summary
Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.
Severity
5.6 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://checkmk.com/werk/14485 |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:10:59.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://checkmk.com/werk/14485"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T18:12:35.724507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T18:12:47.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Checkmk",
"vendor": "Tribe29",
"versions": [
{
"lessThanOrEqual": "2.0.0p28",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.0p10",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Expired sessions were not securely terminated in the RestAPI for Tribe29\u0027s Checkmk \u003c= 2.1.0p10 and Checkmk \u003c= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-20T16:55:28.000Z",
"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
"shortName": "Tribe29"
},
"references": [
{
"url": "https://checkmk.com/werk/14485"
}
],
"title": "Insecure Termination of RestAPI Session Tokens"
}
},
"cveMetadata": {
"assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
"assignerShortName": "Tribe29",
"cveId": "CVE-2022-48317",
"datePublished": "2023-02-20T16:55:28.000Z",
"dateReserved": "2023-02-08T08:46:54.799Z",
"dateUpdated": "2025-03-12T18:12:47.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.