Total
331 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31677 | 1 Vmware | 1 Pinniped | 2022-09-07 | N/A | 5.4 MEDIUM |
| An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow. | |||||
| CVE-2022-23669 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2022-09-02 | 6.5 MEDIUM | 8.8 HIGH |
| A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2018-1195 | 1 Cloudfoundry | 3 Capi-release, Cf-deployment, Cf-release | 2022-08-29 | 6.5 MEDIUM | 8.8 HIGH |
| In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication. | |||||
| CVE-2022-2713 | 1 Agentejo | 1 Cockpit | 2022-08-12 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0. | |||||
| CVE-2022-35728 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2022-08-10 | N/A | 9.8 CRITICAL |
| In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-25979 | 1 Apostrophecms | 1 Apostrophecms | 2022-08-10 | 7.5 HIGH | 9.8 CRITICAL |
| Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session. | |||||
| CVE-2022-31145 | 1 Flyte | 1 Flyteadmin | 2022-07-20 | N/A | 6.5 MEDIUM |
| FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet. | |||||
| CVE-2022-33137 | 1 Siemens | 12 Simatic Mv540 H, Simatic Mv540 H Firmware, Simatic Mv540 S and 9 more | 2022-07-15 | 6.0 MEDIUM | 8.0 HIGH |
| A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions. | |||||
| CVE-2022-2306 | 1 Heroiclabs | 1 Nakama | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| Old session tokens can be used to authenticate to the application and send authenticated requests. | |||||
| CVE-2022-22317 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, Curam Social Program Management and 4 more | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 218281. | |||||
| CVE-2022-22318 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, Curam Social Program Management and 4 more | 2022-06-28 | 6.5 MEDIUM | 9.8 CRITICAL |
| IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2022-31050 | 1 Typo3 | 1 Typo3 | 2022-06-23 | 6.5 MEDIUM | 7.2 HIGH |
| TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. | |||||
| CVE-2022-2064 | 1 Xgenecloud | 1 Nocodb | 2022-06-22 | 6.5 MEDIUM | 8.8 HIGH |
| Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+. | |||||
| CVE-2020-13353 | 1 Gitlab | 1 Gitaly | 2022-06-13 | 2.1 LOW | 3.2 LOW |
| When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. | |||||
| CVE-2022-30277 | 1 Bd | 1 Synapsys | 2022-06-10 | 3.6 LOW | 5.7 MEDIUM |
| BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). | |||||
| CVE-2021-27351 | 1 Telegram | 1 Telegram | 2022-05-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session. | |||||
| CVE-2021-27751 | 1 Hcltechsw | 1 Hcl Commerce | 2022-05-16 | 1.9 LOW | 3.3 LOW |
| HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible. | |||||
| CVE-2022-23063 | 1 Shopizer | 1 Shopizer | 2022-05-10 | 6.5 MEDIUM | 8.8 HIGH |
| In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||||
| CVE-2021-3461 | 1 Redhat | 2 Keycloak, Single Sign-on | 2022-04-13 | 3.3 LOW | 7.1 HIGH |
| A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | |||||
| CVE-2022-25590 | 1 Surveyking | 1 Surveyking | 2022-03-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| SurveyKing v0.2.0 was discovered to retain users' session cookies after logout, allowing attackers to login to the system and access data using the browser cache when the user exits the application. | |||||