CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
874 vulnerabilities reference this CWE, most recent first.
GHSA-VJQC-G788-F378
Vulnerability from github – Published: 2024-02-20 12:31 – Updated: 2024-02-23 15:16Session Fixation Apache DolphinScheduler before version 3.2.1, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.dolphinscheduler:dolphinscheduler"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.8"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50270"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T00:21:28Z",
"nvd_published_at": "2024-02-20T10:15:08Z",
"severity": "MODERATE"
},
"details": "Session Fixation Apache DolphinScheduler before version 3.2.1, which session is still valid after the password change.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue.",
"id": "GHSA-vjqc-g788-f378",
"modified": "2024-02-23T15:16:50Z",
"published": "2024-02-20T12:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50270"
},
{
"type": "WEB",
"url": "https://github.com/apache/dolphinscheduler/pull/15219"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/dolphinscheduler"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2024/02/20/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/20/3"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Session Fixation Apache DolphinScheduler"
}
GHSA-VJXW-62PR-VRFG
Vulnerability from github – Published: 2023-12-25 06:30 – Updated: 2024-09-09 21:31One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM.
{
"affected": [],
"aliases": [
"CVE-2023-51772"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-25T06:15:08Z",
"severity": "HIGH"
},
"details": "One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\\SYSTEM.",
"id": "GHSA-vjxw-62pr-vrfg",
"modified": "2024-09-09T21:31:21Z",
"published": "2023-12-25T06:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51772"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/kiosk-escape-privilege-escalation-one-identity-password-manager-secure-password-extension"
},
{
"type": "WEB",
"url": "https://www.oneidentity.com/products/password-manager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VM6P-35RW-3FXC
Vulnerability from github – Published: 2022-08-09 00:00 – Updated: 2022-08-18 19:14Cockpit before version 2.2.0 is vulnerable to Insufficient Session Expiration. The application does not validate requests after password changes, allowing a user to change their account details even after an admin changes their password.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "aheinze/cockpit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2713"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-18T19:14:08Z",
"nvd_published_at": "2022-08-08T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Cockpit before version 2.2.0 is vulnerable to Insufficient Session Expiration. The application does not validate requests after password changes, allowing a user to change their account details even after an admin changes their password.",
"id": "GHSA-vm6p-35rw-3fxc",
"modified": "2022-08-18T19:14:08Z",
"published": "2022-08-09T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2713"
},
{
"type": "WEB",
"url": "https://github.com/cockpit-hq/cockpit/commit/dd8d0314912fa6517ebd2cc9939d9fafbe68731b"
},
{
"type": "PACKAGE",
"url": "https://github.com/cockpit-hq/cockpit"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3080fc96-75d7-4868-84de-9fc8c9b90290"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cockpit before 2.2.0 vulnerable to Insufficient Session Expiration"
}
GHSA-VP66-GF7W-9M4X
Vulnerability from github – Published: 2024-02-17 06:30 – Updated: 2024-02-20 23:47All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/greenpau/caddy-security"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21492"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-20T23:47:50Z",
"nvd_published_at": "2024-02-17T05:15:08Z",
"severity": "MODERATE"
},
"details": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the \"Sign Out\" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.",
"id": "GHSA-vp66-gf7w-9m4x",
"modified": "2024-02-20T23:47:50Z",
"published": "2024-02-17T06:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21492"
},
{
"type": "WEB",
"url": "https://github.com/greenpau/caddy-security/issues/272"
},
{
"type": "WEB",
"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787"
},
{
"type": "PACKAGE",
"url": "github.com/greenpau/caddy-security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in github.com/greenpau/caddy-security"
}
GHSA-VPFW-47H7-XJ4G
Vulnerability from github – Published: 2025-05-08 14:45 – Updated: 2025-05-09 14:34Summary
When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.
Details
Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.
Impact
When using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.
Mitigation
- Update to the latest version of
rack, or - Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a
logged_outflag, instead of deleting them, and check this flag on every request to prevent reuse, or - Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.
Related
As this code was moved to rack-session in Rack 3+, see https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj for the equivalent advisory in rack-session (affecting Rack 3+ only).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.13"
},
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32441"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-367",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-08T14:45:18Z",
"nvd_published_at": "2025-05-07T23:15:53Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nWhen using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.\n\n### Details\n\n[Rack session middleware](https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270) prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.\n\n### Impact\n\nWhen using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.\n\n## Mitigation\n\n- Update to the latest version of `rack`, or\n- Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse, or\n- Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.\n\n### Related\n\nAs this code was moved to `rack-session` in Rack 3+, see \u003chttps://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj\u003e for the equivalent advisory in `rack-session` (affecting Rack 3+ only).",
"id": "GHSA-vpfw-47h7-xj4g",
"modified": "2025-05-09T14:34:16Z",
"published": "2025-05-08T14:45:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32441"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-32441.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Rack session gets restored after deletion"
}
GHSA-VQ32-QXMX-986V
Vulnerability from github – Published: 2023-07-31 03:30 – Updated: 2023-07-31 03:30Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.
{
"affected": [],
"aliases": [
"CVE-2023-4005"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-31T01:15:09Z",
"severity": "LOW"
},
"details": "Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.",
"id": "GHSA-vq32-qxmx-986v",
"modified": "2023-07-31T03:30:23Z",
"published": "2023-07-31T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4005"
},
{
"type": "WEB",
"url": "https://github.com/fossbilling/fossbilling/commit/20c23b051eb690cb4ae60a257f6bb46eb3aae2d1"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/f0aacce1-79bc-4765-95f1-7e824433b9e4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VR2W-6JC9-59FH
Vulnerability from github – Published: 2022-10-24 19:00 – Updated: 2022-10-24 19:00Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
{
"affected": [],
"aliases": [
"CVE-2021-46279"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-24T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.",
"id": "GHSA-vr2w-6jc9-59fh",
"modified": "2022-10-24T19:00:16Z",
"published": "2022-10-24T19:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46279"
},
{
"type": "WEB",
"url": "https://github.com/CVEProject/cvelist/blob/master/2021/46xxx/CVE-2021-46279.json"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories/CVE-2021-46279"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VR7M-C6V4-8CX8
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-08 19:45A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoke_token() call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with FabAuthManager or KeycloakAuthManager (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side revoke_token() reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to apache-airflow 3.2.2 or later to cover the FAB / Keycloak logout paths.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48726"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-08T19:45:43Z",
"nvd_published_at": "2026-06-01T09:16:20Z",
"severity": "MODERATE"
},
"details": "A bug in Apache Airflow\u0027s auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.",
"id": "GHSA-vr7m-c6v4-8cx8",
"modified": "2026-07-08T19:45:43Z",
"published": "2026-06-01T09:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48726"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/67289"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-187.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57735"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow: Auth manager doesn\u0027t invalidate JWT tokens after users click logout"
}
GHSA-VWF2-F9CG-9FG8
Vulnerability from github – Published: 2023-06-19 06:30 – Updated: 2024-04-04 04:56In Siren Investigate before 13.2.2, session keys remain active even after logging out.
{
"affected": [],
"aliases": [
"CVE-2023-35857"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-19T04:15:11Z",
"severity": "CRITICAL"
},
"details": "In Siren Investigate before 13.2.2, session keys remain active even after logging out.",
"id": "GHSA-vwf2-f9cg-9fg8",
"modified": "2024-04-04T04:56:00Z",
"published": "2023-06-19T06:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35857"
},
{
"type": "WEB",
"url": "https://community.siren.io/c/announcements"
},
{
"type": "WEB",
"url": "https://docs.support.siren.io/siren-platform-user-guide/13.2/release-notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWHP-8JH2-Q93M
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-04 00:01Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.
{
"affected": [],
"aliases": [
"CVE-2014-2595"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-12T01:15:00Z",
"severity": "CRITICAL"
},
"details": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.",
"id": "GHSA-vwhp-8jh2-q93m",
"modified": "2024-04-04T00:01:17Z",
"published": "2022-05-17T19:57:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2595"
},
{
"type": "WEB",
"url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39278"
},
{
"type": "WEB",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/bid/69028"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Aug/5"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/109782"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.