CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-5VCX-9483-28VF
Vulnerability from github – Published: 2023-05-05 21:31 – Updated: 2024-04-04 03:49IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290.
{
"affected": [],
"aliases": [
"CVE-2020-4914"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-05T19:15:15Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290.",
"id": "GHSA-5vcx-9483-28vf",
"modified": "2024-04-04T03:49:54Z",
"published": "2023-05-05T21:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4914"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/191290"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6967181"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5VJ7-M9PC-CF7G
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158.
{
"affected": [],
"aliases": [
"CVE-2020-4780"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-12T13:15:00Z",
"severity": "MODERATE"
},
"details": "OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the \u0027secure\u0027 attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158.",
"id": "GHSA-5vj7-m9pc-cf7g",
"modified": "2022-05-24T17:30:31Z",
"published": "2022-05-24T17:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4780"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189158"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6346581"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5WQR-8P59-25CC
Vulnerability from github – Published: 2024-06-12 21:31 – Updated: 2024-09-06 18:31An access control issue in Wvp GB28181 Pro 2.0 allows users to continue to access information in the application after deleting their own or administrator accounts. This is provided that the users do not log out of their deleted accounts.
{
"affected": [],
"aliases": [
"CVE-2024-36523"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-12T21:15:50Z",
"severity": "MODERATE"
},
"details": "An access control issue in Wvp GB28181 Pro 2.0 allows users to continue to access information in the application after deleting their own or administrator accounts. This is provided that the users do not log out of their deleted accounts.",
"id": "GHSA-5wqr-8p59-25cc",
"modified": "2024-09-06T18:31:26Z",
"published": "2024-06-12T21:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36523"
},
{
"type": "WEB",
"url": "https://github.com/648540858/wvp-GB28181-pro/issues/1456"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5WX3-HJMF-QCGX
Vulnerability from github – Published: 2025-05-28 18:33 – Updated: 2025-05-28 18:33The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary, as exploited in the wild in May 2025.
{
"affected": [],
"aliases": [
"CVE-2025-48929"
],
"database_specific": {
"cwe_ids": [
"CWE-613",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-28T17:15:25Z",
"severity": "MODERATE"
},
"details": "The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary, as exploited in the wild in May 2025.",
"id": "GHSA-5wx3-hjmf-qcgx",
"modified": "2025-05-28T18:33:28Z",
"published": "2025-05-28T18:33:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48929"
},
{
"type": "WEB",
"url": "https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5XWJ-82GW-46FV
Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-27898"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-17T20:22:01Z",
"severity": "MODERATE"
},
"details": "IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-5xwj-82gw-46fv",
"modified": "2026-02-17T21:31:14Z",
"published": "2026-02-17T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27898"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7259901"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-624J-V5V7-QJPG
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only.
{
"affected": [],
"aliases": [
"CVE-2020-3188"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-06T17:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only.",
"id": "GHSA-624j-v5v7-qjpg",
"modified": "2022-05-24T17:17:17Z",
"published": "2022-05-24T17:17:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3188"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-mgmt-interface-dos-FkG4MuTU"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6293-2VG2-PMP5
Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-24 00:53Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.9.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.91.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2064"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-24T00:53:03Z",
"nvd_published_at": "2022-06-13T12:15:00Z",
"severity": "HIGH"
},
"details": "Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.9.",
"id": "GHSA-6293-2vg2-pmp5",
"modified": "2022-06-24T00:53:03Z",
"published": "2022-06-14T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2064"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/pull/2262"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/pull/2338"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/0.91.9"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in NocoDB"
}
GHSA-62GF-43C6-CFMP
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30The system console configuration option 'log-out-on-disconnect' In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO.
{
"affected": [],
"aliases": [
"CVE-2020-1666"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-16T21:15:00Z",
"severity": "MODERATE"
},
"details": "The system console configuration option \u0027log-out-on-disconnect\u0027 In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO.",
"id": "GHSA-62gf-43c6-cfmp",
"modified": "2022-05-24T17:30:51Z",
"published": "2022-05-24T17:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1666"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11063"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-62QF-QM3G-FVCW
Vulnerability from github – Published: 2024-08-05 09:30 – Updated: 2026-06-05 14:15Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB.
This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out.
-
FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected)
-
FAB provider 1.2.0 affected all versions of Airflow.
Users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue.
Users who run Any Apache Airflow version and have FAB provider 1.2.0 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue.
Also upgrading Apache Airflow to latest version available is recommended.
Note: Early version of Airflow reference container images of Airflow 2.9.3 and constraint files contained FAB provider 1.2.1 version, but this is fixed in updated versions of the images.
Users are advised to pull the latest Airflow images or reinstall FAB provider according to the current constraints.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow-providers-fab"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-42447"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-05T16:09:33Z",
"nvd_published_at": "2024-08-05T08:15:56Z",
"severity": "LOW"
},
"details": "Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB.\n\nThis issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out.\u00a0\u00a0\n\n* FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected)\n\n* FAB provider 1.2.0 affected all versions of Airflow.\n\nUsers who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue.\n\nUsers who run Any Apache Airflow version and have FAB provider 1.2.0 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue.\n\nAlso upgrading Apache Airflow to latest version available is recommended.\n\nNote: Early version of Airflow reference container images of Airflow 2.9.3 and constraint files contained FAB provider 1.2.1 version, but this is fixed in updated versions of the images.\u00a0\n\nUsers are advised to pull the latest Airflow images or reinstall FAB provider according to the current constraints.",
"id": "GHSA-62qf-qm3g-fvcw",
"modified": "2026-06-05T14:15:27Z",
"published": "2024-08-05T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42447"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/40784"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-265.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/2zoo8cjlwfjhbfdxfgltcm0hnc0qmc52"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/08/04/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow Providers FAB Insufficient Session Expiration vulnerability"
}
GHSA-636J-7X7R-GVW2
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-13 13:28Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0-RC-5"
},
"package": {
"ecosystem": "Packagist",
"name": "snipe/snipe-it"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-RC-1"
},
{
"fixed": "6.0.0-RC-6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "snipe/snipe-it"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1155"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-01T14:11:35Z",
"nvd_published_at": "2022-03-30T13:15:00Z",
"severity": "HIGH"
},
"details": "Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.",
"id": "GHSA-636j-7x7r-gvw2",
"modified": "2022-04-13T13:28:21Z",
"published": "2022-03-31T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1155"
},
{
"type": "WEB",
"url": "https://github.com/snipe/snipe-it/pull/10876"
},
{
"type": "WEB",
"url": "https://github.com/snipe/snipe-it/commit/bdabbbd4e98e88ee01e728ceb4fd512661fbd38d"
},
{
"type": "PACKAGE",
"url": "https://github.com/snipe/snipe-it"
},
{
"type": "WEB",
"url": "https://github.com/snipe/snipe-it/releases/tag/v5.4.2"
},
{
"type": "WEB",
"url": "https://github.com/snipe/snipe-it/releases/tag/v6.0.0-RC-6"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/ebc26354-2414-4f72-88aa-f044aec2b2e1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Old sessions not blocked by login enable function in Snipe-IT"
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.