CWE-672
Allowed-with-ReviewOperation on a Resource after Expiration or Release
Abstraction: Class · Status: Draft
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
118 vulnerabilities reference this CWE, most recent first.
GHSA-263C-689V-JCFH
Vulnerability from github – Published: 2024-05-22 21:30 – Updated: 2024-05-22 21:30IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive calendar information using an expired access token. IBM X-Force ID: 288174.
{
"affected": [],
"aliases": [
"CVE-2024-31893"
],
"database_specific": {
"cwe_ids": [
"CWE-324",
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-22T19:15:08Z",
"severity": "MODERATE"
},
"details": "IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive calendar information using an expired access token. IBM X-Force ID: 288174.",
"id": "GHSA-263c-689v-jcfh",
"modified": "2024-05-22T21:30:35Z",
"published": "2024-05-22T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31893"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/288174"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7154606"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2GF8-Q9RR-JQ3H
Vulnerability from github – Published: 2026-07-02 20:11 – Updated: 2026-07-02 20:11Am I affected
You are affected if:
- You run
zebradup to and includingv4.4.1. - Your node participates in a network where chain forks occur (mainnet, testnet, or any network with multiple miners).
All default configurations are affected. The corruption persists across restarts because it is written to RocksDB.
Summary
When pop_tip removes the tip block during a chain fork, stale Sapling and Orchard note commitment subtree root data is retained in the in-memory non-finalized state. When the chain subsequently finalizes, this stale data is written to the persistent RocksDB state. The corrupted subtree root history affects z_getsubtreesbyindex (used by lightwalletd for wallet synchronization) and could affect future chain verification that depends on correct subtree roots.
Details
The non-finalized state provides two methods for removing blocks: pop_root (removes the oldest block during finalization) and pop_tip (removes the newest block during a fork revert). pop_root correctly cleans up note commitment subtree contributions. pop_tip does not: it removes the block but retains the block's subtree root contributions in the in-memory state.
When a chain fork occurs and pop_tip reverts the old tip, the winning fork's chain is extended. When that chain is later finalized, the stale subtree data from the reverted blocks is included in the RocksDB write batch and persisted to disk.
The pop_root/pop_tip asymmetry is specific to subtree root handling. Other state managed by pop_tip (nullifiers, UTXOs, anchors, block hashes) uses different cleanup patterns that are not affected.
Patches
zebra-state 7.0.0 and zebrad 4.5.0.
The fix adds subtree root cleanup to pop_tip matching the pattern already used by pop_root.
Workarounds
There is no configuration-level workaround. Chain forks are natural events on any Proof-of-Work network. Operators can mitigate the downstream impact by periodically verifying subtree root consistency using z_getsubtreesbyindex against a known-good reference.
Impact
Persistent corruption of Sapling and Orchard subtree root history in the RocksDB state database. The corruption survives node restarts. Downstream consumers that rely on z_getsubtreesbyindex for wallet synchronization (primarily lightwalletd and light wallets) receive incorrect subtree roots. This does not directly affect consensus validation of new blocks but can cause wallet synchronization failures or incorrect wallet state. Recovery requires rebuilding the state database from scratch.
Credit
Reported by @dingledropper via a private GitHub Security Advisory submission.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0"
},
"package": {
"ecosystem": "crates.io",
"name": "zebra-state"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.4.1"
},
"package": {
"ecosystem": "crates.io",
"name": "zebrad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52733"
],
"database_specific": {
"cwe_ids": [
"CWE-459",
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:11:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Am I affected\n\nYou are affected if:\n\n1. You run `zebrad` up to and including `v4.4.1`.\n2. Your node participates in a network where chain forks occur (mainnet, testnet, or any network with multiple miners).\n\nAll default configurations are affected. The corruption persists across restarts because it is written to RocksDB.\n\n### Summary\n\nWhen `pop_tip` removes the tip block during a chain fork, stale Sapling and Orchard note commitment subtree root data is retained in the in-memory non-finalized state. When the chain subsequently finalizes, this stale data is written to the persistent RocksDB state. The corrupted subtree root history affects `z_getsubtreesbyindex` (used by lightwalletd for wallet synchronization) and could affect future chain verification that depends on correct subtree roots.\n\n### Details\n\nThe non-finalized state provides two methods for removing blocks: `pop_root` (removes the oldest block during finalization) and `pop_tip` (removes the newest block during a fork revert). `pop_root` correctly cleans up note commitment subtree contributions. `pop_tip` does not: it removes the block but retains the block\u0027s subtree root contributions in the in-memory state.\n\nWhen a chain fork occurs and `pop_tip` reverts the old tip, the winning fork\u0027s chain is extended. When that chain is later finalized, the stale subtree data from the reverted blocks is included in the RocksDB write batch and persisted to disk.\n\nThe `pop_root`/`pop_tip` asymmetry is specific to subtree root handling. Other state managed by `pop_tip` (nullifiers, UTXOs, anchors, block hashes) uses different cleanup patterns that are not affected.\n\n### Patches\n\nzebra-state 7.0.0 and zebrad 4.5.0.\n\nThe fix adds subtree root cleanup to `pop_tip` matching the pattern already used by `pop_root`.\n\n### Workarounds\n\nThere is no configuration-level workaround. Chain forks are natural events on any Proof-of-Work network. Operators can mitigate the downstream impact by periodically verifying subtree root consistency using `z_getsubtreesbyindex` against a known-good reference.\n\n### Impact\n\nPersistent corruption of Sapling and Orchard subtree root history in the RocksDB state database. The corruption survives node restarts. Downstream consumers that rely on `z_getsubtreesbyindex` for wallet synchronization (primarily `lightwalletd` and light wallets) receive incorrect subtree roots. This does not directly affect consensus validation of new blocks but can cause wallet synchronization failures or incorrect wallet state. Recovery requires rebuilding the state database from scratch.\n\n### Credit\n\nReported by `@dingledropper` via a private GitHub Security Advisory submission.",
"id": "GHSA-2gf8-q9rr-jq3h",
"modified": "2026-07-02T20:11:36Z",
"published": "2026-07-02T20:11:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-2gf8-q9rr-jq3h"
},
{
"type": "PACKAGE",
"url": "https://github.com/ZcashFoundation/zebra"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip"
}
GHSA-2VG6-77G8-24MP
Vulnerability from github – Published: 2026-07-07 20:56 – Updated: 2026-07-07 20:56Am I affected?
Users are affected if all of the following are true:
- They configure
secondaryStorageonbetterAuth(...)(Redis, KV, or any external session cache). session.storeSessionInDatabaseis left unset or set tofalse(the default).- Their application's deployment uses one or more of:
- The
adminplugin and callsauth.api.removeUser(...)orauthClient.admin.removeUser(...). - The
anonymousplugin and exposes/delete-anonymous-useror relies on the after-link hook to clean up the anonymous user. - The
@better-auth/scimplugin and exposesDELETE /scim/v2/Users/:userId.
If storeSessionInDatabase is true, sessions are also written to the database, and the database delete cascades; users are not affected.
Fix:
- Upgrade to
better-auth@<patched-version>or later (and@better-auth/scim@<patched-version>if they use SCIM). - If they cannot upgrade, see workarounds below.
Summary
When secondaryStorage is configured and storeSessionInDatabase is false, three user-deletion endpoints in better-auth plus one in @better-auth/scim call internalAdapter.deleteUser(userId) without first calling internalAdapter.deleteSessions(userId). The deleted user's session payload (which carries a cached user object) remains in secondary storage, and internalAdapter.findSession(token) keeps returning it as a valid session until the session TTL elapses (default 7 days).
Details
The vulnerable call sites are:
adminplugin'sremoveUser(packages/better-auth/src/plugins/admin/routes.ts:1463).anonymousplugin's self-delete endpoint (packages/better-auth/src/plugins/anonymous/index.ts:222).anonymousplugin's after-link hook (packages/better-auth/src/plugins/anonymous/index.ts:325).@better-auth/scim'sDELETE /scim/v2/Users/:userId(packages/scim/src/routes.ts:1019).
Working callers that already do the right thing: the core /delete-user self-delete and /delete-user/callback (packages/better-auth/src/api/routes/update-user.ts:551).
The fix shape extends each vulnerable caller to invoke deleteSessions(userId) before deleteUser(userId). The architectural follow-up centralizes the cleanup inside deleteUser itself or introduces a single deleteUserAndSessions orchestrator so future callers cannot regress this contract.
Patches
Fixed in better-auth@<patched-version> and @better-auth/scim@<patched-version>. All four user-deletion call sites now invoke deleteSessions(userId) before deleteUser(userId) so sessions are evicted from secondary storage at the same time the user row is removed.
Workarounds
If users cannot upgrade immediately:
- Configuration-level: set
session.storeSessionInDatabase: true. Subsequent user-delete writes reach the session table and the database cascade removes rows. Increases write volume for high-throughput sessions but eliminates the gap. - Code-level (admin path): when calling
auth.api.removeUser, also callauth.api.revokeUserSessions({ body: { userId } }), which usesdeleteSessionsinternally. - Code-level (SCIM path): wrap their SCIM provider's deprovisioning hook to call
auth.api.revokeUserSessions(...)after the SCIM DELETE. - Code-level (anonymous path): in
onLinkAccount, explicitly callinternalAdapter.deleteSessions(anonymousUser.user.id)before allowing the new session to be issued.
Impact
- Stale session validity: a deleted user's existing session cookie continues to authenticate against
getSessionFromCtxuntil the session TTL elapses (default 7 days). Within that window, the deleted user retains their pre-existing read and write surface. - SCIM-driven deprovisioning gap: organizations using SCIM to revoke offboarded employees' access do not, in fact, revoke active sessions. The deleted account remains usable for up to 7 days after deprovisioning.
Credit
Reported by @iruizsalinas.
Resources
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "better-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.4"
},
{
"fixed": "1.6.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@better-auth/scim"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.6.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-459",
"CWE-613",
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-07T20:56:45Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Am I affected?\n\nUsers are affected if all of the following are true:\n\n- They configure `secondaryStorage` on `betterAuth(...)` (Redis, KV, or any external session cache).\n- `session.storeSessionInDatabase` is left unset or set to `false` (the default).\n- Their application\u0027s deployment uses one or more of:\n - The `admin` plugin and calls `auth.api.removeUser(...)` or `authClient.admin.removeUser(...)`.\n - The `anonymous` plugin and exposes `/delete-anonymous-user` or relies on the after-link hook to clean up the anonymous user.\n - The `@better-auth/scim` plugin and exposes `DELETE /scim/v2/Users/:userId`.\n\nIf `storeSessionInDatabase` is `true`, sessions are also written to the database, and the database delete cascades; users are not affected.\n\nFix:\n\n1. Upgrade to `better-auth@\u003cpatched-version\u003e` or later (and `@better-auth/scim@\u003cpatched-version\u003e` if they use SCIM).\n2. If they cannot upgrade, see workarounds below.\n\n### Summary\n\nWhen `secondaryStorage` is configured and `storeSessionInDatabase` is `false`, three user-deletion endpoints in `better-auth` plus one in `@better-auth/scim` call `internalAdapter.deleteUser(userId)` without first calling `internalAdapter.deleteSessions(userId)`. The deleted user\u0027s session payload (which carries a cached user object) remains in secondary storage, and `internalAdapter.findSession(token)` keeps returning it as a valid session until the session TTL elapses (default 7 days).\n\n### Details\n\nThe vulnerable call sites are:\n\n- `admin` plugin\u0027s `removeUser` (`packages/better-auth/src/plugins/admin/routes.ts:1463`).\n- `anonymous` plugin\u0027s self-delete endpoint (`packages/better-auth/src/plugins/anonymous/index.ts:222`).\n- `anonymous` plugin\u0027s after-link hook (`packages/better-auth/src/plugins/anonymous/index.ts:325`).\n- `@better-auth/scim`\u0027s `DELETE /scim/v2/Users/:userId` (`packages/scim/src/routes.ts:1019`).\n\nWorking callers that already do the right thing: the core `/delete-user` self-delete and `/delete-user/callback` (`packages/better-auth/src/api/routes/update-user.ts:551`).\n\nThe fix shape extends each vulnerable caller to invoke `deleteSessions(userId)` before `deleteUser(userId)`. The architectural follow-up centralizes the cleanup inside `deleteUser` itself or introduces a single `deleteUserAndSessions` orchestrator so future callers cannot regress this contract.\n\n### Patches\n\nFixed in `better-auth@\u003cpatched-version\u003e` and `@better-auth/scim@\u003cpatched-version\u003e`. All four user-deletion call sites now invoke `deleteSessions(userId)` before `deleteUser(userId)` so sessions are evicted from secondary storage at the same time the user row is removed.\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- **Configuration-level**: set `session.storeSessionInDatabase: true`. Subsequent user-delete writes reach the session table and the database cascade removes rows. Increases write volume for high-throughput sessions but eliminates the gap.\n- **Code-level (admin path)**: when calling `auth.api.removeUser`, also call `auth.api.revokeUserSessions({ body: { userId } })`, which uses `deleteSessions` internally.\n- **Code-level (SCIM path)**: wrap their SCIM provider\u0027s deprovisioning hook to call `auth.api.revokeUserSessions(...)` after the SCIM DELETE.\n- **Code-level (anonymous path)**: in `onLinkAccount`, explicitly call `internalAdapter.deleteSessions(anonymousUser.user.id)` before allowing the new session to be issued.\n\n### Impact\n\n- **Stale session validity**: a deleted user\u0027s existing session cookie continues to authenticate against `getSessionFromCtx` until the session TTL elapses (default 7 days). Within that window, the deleted user retains their pre-existing read and write surface.\n- **SCIM-driven deprovisioning gap**: organizations using SCIM to revoke offboarded employees\u0027 access do not, in fact, revoke active sessions. The deleted account remains usable for up to 7 days after deprovisioning.\n\n### Credit\n\nReported by @iruizsalinas.\n\n### Resources\n\n- [CWE-613: Insufficient Session Expiration](https://cwe.mitre.org/data/definitions/613.html)\n- [CWE-672: Operation on a Resource after Expiration or Release](https://cwe.mitre.org/data/definitions/672.html)\n- [CWE-459: Incomplete Cleanup](https://cwe.mitre.org/data/definitions/459.html)",
"id": "GHSA-2vg6-77g8-24mp",
"modified": "2026-07-07T20:56:45Z",
"published": "2026-07-07T20:56:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-2vg6-77g8-24mp"
},
{
"type": "PACKAGE",
"url": "https://github.com/better-auth/better-auth"
},
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows"
}
GHSA-2VW6-5F85-H22M
Vulnerability from github – Published: 2025-04-21 15:31 – Updated: 2025-04-21 15:31Reference to Expired Domain Vulnerability in OpenText™ ArcSight Enterprise Security Manager.
{
"affected": [],
"aliases": [
"CVE-2025-2517"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-21T15:16:00Z",
"severity": "LOW"
},
"details": "Reference to Expired Domain Vulnerability in OpenText\u2122 ArcSight Enterprise Security Manager.",
"id": "GHSA-2vw6-5f85-h22m",
"modified": "2025-04-21T15:31:26Z",
"published": "2025-04-21T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2517"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000040103"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2W5J-QFVW-2HF5
Vulnerability from github – Published: 2024-09-19 16:07 – Updated: 2024-09-20 14:18Impact
ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state.
Patches
2.x versions are fixed on >= 2.62.1 2.61.x versions are fixed on >= 2.61.1 2.60.x versions are fixed on >= 2.60.2 2.59.x versions are fixed on >= 2.59.3 2.58.x versions are fixed on >= 2.58.5 2.57.x versions are fixed on >= 2.57.5 2.56.x versions are fixed on >= 2.56.6 2.55.x versions are fixed on >= 2.55.8 2.54.x versions are fixed on >= 2.54.10
Workarounds
Unpatched versions can explicitly remove the user grants to make sure the user does not get access anymore.
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.62.0"
},
{
"fixed": "2.62.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.61.0"
},
{
"fixed": "2.61.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.60.0"
},
{
"fixed": "2.60.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.59.0"
},
{
"fixed": "2.59.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.58.0"
},
{
"fixed": "2.58.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.57.0"
},
{
"fixed": "2.57.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.56.0"
},
{
"fixed": "2.56.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.55.0"
},
{
"fixed": "2.55.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.54.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-46999"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-19T16:07:58Z",
"nvd_published_at": "2024-09-20T00:15:03Z",
"severity": "HIGH"
},
"details": "### Impact\n\nZITADEL\u0027s user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources.\nAdditionally, the management and auth API always returned the state as active or did not provide any information about the state.\n\n### Patches\n\n2.x versions are fixed on \u003e= [2.62.1](https://github.com/zitadel/zitadel/releases/tag/v2.62.1)\n2.61.x versions are fixed on \u003e= [2.61.1](https://github.com/zitadel/zitadel/releases/tag/v2.61.1)\n2.60.x versions are fixed on \u003e= [2.60.2](https://github.com/zitadel/zitadel/releases/tag/v2.60.2)\n2.59.x versions are fixed on \u003e= [2.59.3](https://github.com/zitadel/zitadel/releases/tag/v2.59.3)\n2.58.x versions are fixed on \u003e= [2.58.5](https://github.com/zitadel/zitadel/releases/tag/v2.58.5)\n2.57.x versions are fixed on \u003e= [2.57.5](https://github.com/zitadel/zitadel/releases/tag/v2.57.5)\n2.56.x versions are fixed on \u003e= [2.56.6](https://github.com/zitadel/zitadel/releases/tag/v2.56.6)\n2.55.x versions are fixed on \u003e= [2.55.8](https://github.com/zitadel/zitadel/releases/tag/v2.55.8)\n2.54.x versions are fixed on \u003e= [2.54.10](https://github.com/zitadel/zitadel/releases/tag/v2.54.10)\n\n### Workarounds\n\nUnpatched versions can explicitly remove the user grants to make sure the user does not get access anymore.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n",
"id": "GHSA-2w5j-qfvw-2hf5",
"modified": "2024-09-20T14:18:05Z",
"published": "2024-09-19T16:07:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46999"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ZITADEL\u0027s User Grant Deactivation not Working"
}
GHSA-2XM2-XJ2Q-QGPJ
Vulnerability from github – Published: 2020-10-27 19:15 – Updated: 2021-10-06 22:02Original Message: Hi,
I create objects with one client with an ACL of all users with a specific column value. Thats working so far.
Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant create new objects, which Parse restricts right.
The LiveQueryServer doesnt detect deleted sessions after the websocket connection was established. There should be a mechanism that checks in an specific interval if the session exists. I dont know if its true with expired sessions.
Any solutions?
Parse version: 4.3.0 Parse js SDK version: 2.17
Solution: Hi guys.
I've found and fixed the problem. It happens because there are two caches in place for the session token:
- at Parse Server level, which, according with the docs, should be changed via cacheTTL option and defaults to 5 seconds;
- at Parse Live Query level, which, according with the docs, should be changed via liveQueryServerOptions.cacheTimeout and defaults to 30 days.
But there are three problems:
- cacheTTL has currently no effect over Live Query Server;
- cacheTimeout also has currently no effect over Live Query Server;
- cacheTimeout actually defaults to 1h.
So, currently, if you wait 1 hour after the session token was invalidated, the clients using the old session token are not able to receive the events.
What I did:
- Added a test case for the problem;
- Fixed cacheTTL for Live Query Server;
- Fixed cacheTimeout for Live Query Server;
- Changed the cacheTimeout to default 5s;
- Changed the docs to reflect the actual 5s default for cacheTimeout.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15270"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2020-10-22T21:12:08Z",
"nvd_published_at": "2020-10-22T22:15:00Z",
"severity": "MODERATE"
},
"details": "Original Message:\nHi,\n\nI create objects with one client with an ACL of all users with a specific column value. Thats working so far.\n\nThen I deleted the session object from one user to look if he can receive subscription objects and he can receive them.\nThe client with the deleted session cant create new objects, which Parse restricts right.\n\nThe LiveQueryServer doesnt detect deleted sessions after the websocket connection was established.\nThere should be a mechanism that checks in an specific interval if the session exists.\nI dont know if its true with expired sessions.\n\nAny solutions?\n\nParse version: 4.3.0\nParse js SDK version: 2.17\n\nSolution:\nHi guys.\n\nI\u0027ve found and fixed the problem. It happens because there are two caches in place for the session token:\n\n- at Parse Server level, which, according with the docs, should be changed via cacheTTL option and defaults to 5 seconds;\n- at Parse Live Query level, which, according with the docs, should be changed via liveQueryServerOptions.cacheTimeout and defaults to 30 days.\n\nBut there are three problems:\n\n- cacheTTL has currently no effect over Live Query Server;\n- cacheTimeout also has currently no effect over Live Query Server;\n- cacheTimeout actually defaults to 1h.\n\nSo, currently, if you wait 1 hour after the session token was invalidated, the clients using the old session token are not able to receive the events.\n\nWhat I did:\n\n- Added a test case for the problem;\n- Fixed cacheTTL for Live Query Server;\n- Fixed cacheTimeout for Live Query Server;\n- Changed the cacheTimeout to default 5s;\n- Changed the docs to reflect the actual 5s default for cacheTimeout.\n\n",
"id": "GHSA-2xm2-xj2q-qgpj",
"modified": "2021-10-06T22:02:05Z",
"published": "2020-10-27T19:15:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15270"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "receiving subscription objects with deleted session"
}
GHSA-36W9-QQ4H-PV36
Vulnerability from github – Published: 2026-07-03 21:31 – Updated: 2026-07-03 21:31Operation on a resource after expiration or release in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
{
"affected": [],
"aliases": [
"CVE-2026-58291"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T21:17:03Z",
"severity": "MODERATE"
},
"details": "Operation on a resource after expiration or release in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.",
"id": "GHSA-36w9-qq4h-pv36",
"modified": "2026-07-03T21:31:40Z",
"published": "2026-07-03T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58291"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58291"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-38QG-7H9Q-7H29
Vulnerability from github – Published: 2025-10-31 12:30 – Updated: 2025-11-05 00:31When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain.
For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m.
{
"affected": [],
"aliases": [
"CVE-2025-58149"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-31T12:15:35Z",
"severity": "HIGH"
},
"details": "When passing through PCI devices, the detach logic in libxl won\u0027t remove\naccess permissions to any 64bit memory BARs the device might have. As a\nresult a domain can still have access any 64bit memory BAR when such\ndevice is no longer assigned to the domain.\n\nFor PV domains the permission leak allows the domain itself to map the memory\nin the page-tables. For HVM it would require a compromised device model or\nstubdomain to map the leaked memory into the HVM domain p2m.",
"id": "GHSA-38qg-7h9q-7h29",
"modified": "2025-11-05T00:31:32Z",
"published": "2025-10-31T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58149"
},
{
"type": "WEB",
"url": "https://xenbits.xenproject.org/xsa/advisory-476.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/24/1"
},
{
"type": "WEB",
"url": "http://xenbits.xen.org/xsa/advisory-476.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3CJH-P6PW-JHV9
Vulnerability from github – Published: 2023-09-19 17:00 – Updated: 2023-09-19 17:00Use of Pow.Store.Backend.MnesiaCache is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A cache key may become expired when all Pow.Store.Backend.MnesiaCache instances have been shut down for a period that is longer than the keys' remaining TTL and the expired key won't be invalidated on startups.
Workarounds
The expired keys, including all expired sessions, can be manually invalidated by running:
:mnesia.sync_transaction(fn ->
Enum.each(:mnesia.dirty_select(Pow.Store.Backend.MnesiaCache, [{{Pow.Store.Backend.MnesiaCache, :_, :_}, [], [:"$_"]}]), fn {_, key, {_value, expire}} ->
ttl = expire - :os.system_time(:millisecond)
if ttl < 0, do: :mnesia.delete({Pow.Store.Backend.MnesiaCache, key})
end)
end)
References
https://github.com/pow-auth/pow/commit/15dc525be03c466daa5d2119ca7acdec7b24ed17 https://github.com/pow-auth/pow/issues/713 https://github.com/pow-auth/pow/pull/714
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "pow"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.14"
},
{
"fixed": "1.0.34"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42446"
],
"database_specific": {
"cwe_ids": [
"CWE-298",
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-19T17:00:08Z",
"nvd_published_at": "2023-09-18T22:15:47Z",
"severity": "MODERATE"
},
"details": "Use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A cache key may become expired when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than the keys\u0027 remaining TTL and the expired key won\u0027t be invalidated on startups.\n\n### Workarounds\n\nThe expired keys, including all expired sessions, can be manually invalidated by running:\n\n```elixir\n:mnesia.sync_transaction(fn -\u003e\n Enum.each(:mnesia.dirty_select(Pow.Store.Backend.MnesiaCache, [{{Pow.Store.Backend.MnesiaCache, :_, :_}, [], [:\"$_\"]}]), fn {_, key, {_value, expire}} -\u003e\n ttl = expire - :os.system_time(:millisecond)\n if ttl \u003c 0, do: :mnesia.delete({Pow.Store.Backend.MnesiaCache, key})\n end)\nend)\n```\n\n### References\nhttps://github.com/pow-auth/pow/commit/15dc525be03c466daa5d2119ca7acdec7b24ed17\nhttps://github.com/pow-auth/pow/issues/713\nhttps://github.com/pow-auth/pow/pull/714\n",
"id": "GHSA-3cjh-p6pw-jhv9",
"modified": "2023-09-19T17:00:08Z",
"published": "2023-09-19T17:00:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42446"
},
{
"type": "WEB",
"url": "https://github.com/pow-auth/pow/issues/713"
},
{
"type": "WEB",
"url": "https://github.com/pow-auth/pow/pull/714"
},
{
"type": "WEB",
"url": "https://github.com/pow-auth/pow/commit/15dc525be03c466daa5d2119ca7acdec7b24ed17"
},
{
"type": "PACKAGE",
"url": "https://github.com/pow-auth/pow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pow Mnesia cache doesn\u0027t invalidate all expired keys on startup"
}
GHSA-3W9M-VG42-8V9H
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 15:34By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97.
{
"affected": [],
"aliases": [
"CVE-2022-22755"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "HIGH"
},
"details": "By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox \u003c 97.",
"id": "GHSA-3w9m-vg42-8v9h",
"modified": "2025-04-16T15:34:06Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22755"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1309630"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.