Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

875 vulnerabilities reference this CWE, most recent first.

GHSA-WX2Q-8M6X-V282

Vulnerability from github – Published: 2023-04-18 21:30 – Updated: 2024-04-04 03:34
VLAI
Details

A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-18T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "\n\n\nA CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to\nmaintain unauthorized access over a hijacked session in PME after the legitimate user has\nsigned out of their account.\n\n\n\n",
  "id": "GHSA-wx2q-8m6x-v282",
  "modified": "2024-04-04T03:34:42Z",
  "published": "2023-04-18T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28003"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-073-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-073-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX4J-99R4-V8WG

Vulnerability from github – Published: 2022-05-24 22:29 – Updated: 2022-05-24 22:29
VLAI
Details

In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-10T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "In \u201cOrchard core CMS\u201d application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.",
  "id": "GHSA-wx4j-99r4-v8wg",
  "modified": "2022-05-24T22:29:04Z",
  "published": "2022-05-24T22:29:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25966"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OrchardCMS/OrchardCore/blob/v1.0.0/src/OrchardCore.Modules/OrchardCore.Users/Controllers/ResetPasswordController.cs#L123"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25966"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WXG7-W2V3-W38G

Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52
VLAI
Summary
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
Details

Summary

Two closely related token lifecycle validation vulnerabilities were discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.

Specifically, within the validation pipeline:

  • Missing Expiration (exp) Enforcement: If an incoming JWT omits the exp claim entirely, the expiration block is silently skipped rather than rejected. The token is treated as valid forever.
  • Missing Issued-At (iat) Enforcement: ZITADEL enforces a 1-hour freshness window (maxAge) via the token's issue time. However, this safety check is guarded by a presence condition. If a token omits the iat claim, the freshness check is entirely bypassed, allowing arbitrarily old tokens to pass.

Per the OIDC Core 1.0 specification, identity token validation pipelines must strictly handle and enforce session expiration. ZITADEL's silent acceptance of tokens missing these temporal constraints compromises session integrity.

Impact

An attacker in possession of a token that lacks both exp and iat claims holds a permanent credential that will never expire and will always be deemed "fresh" by the system. Even without combining both flaws, the absence of an expiration constraint means a leaked token effectively turns into a skeleton key for that user session with no automatic revocation window.

Affected Versions

Systems running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.15.1 (including RC versions)
  • 3.x: 3.0.0 through 3.4.11 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. ZITADEL now explicitly rejects tokens that lack an exp or iat claim.

Workarounds

The recommended solution is to update ZITADEL to a patched version.

If an immediate upgrade is not feasible, ensure at the Identity Provider level that the external IdP is rigidly configured to enforce short token lifetimes and explicitly includes both exp and iat claims in every single token payload it signs and issues.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Android-Login-Analysis, Jason Zhou and Pedro Giglioti for reporting this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.80.0-v2.20.0.20260615122908-fad02c6d9f45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:52:21Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nTwo closely related token lifecycle validation vulnerabilities were discovered in ZITADEL\u0027s external JWT Identity Provider (IdP) implementation.\n\nSpecifically, within the validation pipeline:\n\n* **Missing Expiration (`exp`) Enforcement:** If an incoming JWT omits the `exp` claim entirely, the expiration block is silently skipped rather than rejected. The token is treated as valid forever.\n* **Missing Issued-At (`iat`) Enforcement:** ZITADEL enforces a 1-hour freshness window (`maxAge`) via the token\u0027s issue time. However, this safety check is guarded by a presence condition. If a token omits the `iat` claim, the freshness check is entirely bypassed, allowing arbitrarily old tokens to pass.\n\nPer the OIDC Core 1.0 specification, identity token validation pipelines must strictly handle and enforce session expiration. ZITADEL\u0027s silent acceptance of tokens missing these temporal constraints compromises session integrity.\n\n### Impact\n\nAn attacker in possession of a token that lacks both `exp` and `iat` claims holds a permanent credential that will never expire and will always be deemed \"fresh\" by the system. Even without combining both flaws, the absence of an expiration constraint means a leaked token effectively turns into a skeleton key for that user session with no automatic revocation window.\n\n### Affected Versions\n\nSystems running one of the following versions are affected:\n\n* **4.x**: `4.0.0` through `4.15.1` (including RC versions)\n* **3.x**: `3.0.0` through `3.4.11` (including RC versions)\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. ZITADEL now explicitly rejects tokens that lack an `exp` or `iat` claim.\n\n* **4.x**: Upgrade to $\\ge$ [4.15.2](https://github.com/zitadel/zitadel/releases/tag/v4.15.2)\n* **3.x**: Upgrade to $\\ge$ [3.4.12](https://github.com/zitadel/zitadel/releases/tag/v3.4.12)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version.\n\nIf an immediate upgrade is not feasible, ensure at the Identity Provider level that the external IdP is rigidly configured to enforce short token lifetimes and **explicitly includes** both `exp` and `iat` claims in every single token payload it signs and issues.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to [Android-Login-Analysis](https://github.com/Android-Login-Analysis), Jason Zhou and [Pedro Giglioti](https://github.com/Punisher100) for reporting this vulnerability.",
  "id": "GHSA-wxg7-w2v3-w38g",
  "modified": "2026-06-18T13:52:21Z",
  "published": "2026-06-18T13:52:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wxg7-w2v3-w38g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/fad02c6d9f4587956f830d4536c64a9a94baa7ac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": " ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider"
}

GHSA-WXW4-9HR6-3VW4

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. Parsing a file may lead to an unexpected app termination.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:16Z",
    "severity": "CRITICAL"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. Parsing a file may lead to an unexpected app termination.",
  "id": "GHSA-wxw4-9hr6-3vw4",
  "modified": "2025-11-03T21:32:24Z",
  "published": "2025-01-28T00:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24106"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122068"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122069"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122070"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/15"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/16"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X33X-Q828-VC8W

Vulnerability from github – Published: 2023-04-16 03:30 – Updated: 2024-04-04 03:29
VLAI
Details

In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-16T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.",
  "id": "GHSA-x33x-q828-vc8w",
  "modified": "2024-04-04T03:29:59Z",
  "published": "2023-04-16T03:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37186"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b393947663ad3bf26bad0581413dd6fae4"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.0.15"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X4VH-J75G-268G

Vulnerability from github – Published: 2026-03-02 19:53 – Updated: 2026-03-02 19:53
VLAI
Summary
NocoDB's Refresh Tokens Not Revoked on Password Reset
Details

Summary

The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.

Details

passwordReset() in users.service.ts updated token_version (invalidating JWTs) but did not call UserRefreshToken.deleteAllUserToken(). The refreshToken() method only checked token existence, not token_version. Both passwordChange() and signOut() correctly deleted all refresh tokens.

Impact

An attacker who previously obtained a refresh token retains access after password reset until the token expires.

Credit

This issue was reported by @bugbunny-research (bugbunny.ai).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.301.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T19:53:17Z",
    "nvd_published_at": "2026-03-02T17:16:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.\n\n### Details\n`passwordReset()` in `users.service.ts` updated `token_version` (invalidating JWTs) but did not call `UserRefreshToken.deleteAllUserToken()`. The `refreshToken()` method only checked token existence, not `token_version`. Both `passwordChange()` and `signOut()` correctly deleted all refresh tokens.\n\n### Impact\nAn attacker who previously obtained a refresh token retains access after password reset until the token expires.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).",
  "id": "GHSA-x4vh-j75g-268g",
  "modified": "2026-03-02T19:53:17Z",
  "published": "2026-03-02T19:53:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-x4vh-j75g-268g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28396"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB\u0027s Refresh Tokens Not Revoked on Password Reset"
}

GHSA-X774-V4VM-3H8M

Vulnerability from github – Published: 2025-02-13 03:30 – Updated: 2025-02-13 03:30
VLAI
Details

An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-13T02:15:29Z",
    "severity": "MODERATE"
  },
  "details": "An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.",
  "id": "GHSA-x774-v4vm-3h8m",
  "modified": "2025-02-13T03:30:43Z",
  "published": "2025-02-13T03:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1198"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/511477"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7RP-QJ2H-GHGW

Vulnerability from github – Published: 2025-11-14 20:50 – Updated: 2025-11-14 20:50
VLAI
Summary
Flowise Fails to Invalidate Existing Sessions After Password Changes
Details

Summary

Failure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure).

Details

After a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who already has an active session (e.g., via a stolen session token, device left logged in, or other access) continues to be authenticated even after the legitimate user rotates credentials, allowing the attacker to retain access despite the user’s password change.

PoC

Repro steps: 1. As logged in user on two browsers (ie. Chrome and Firefox, with incognito/private mode) https://cloud.flowiseai.com/account change password, on the Chrome for example 2. Refresh the site on Firefox (second browser) - notice that still logged in (despite credentials were changed)

POC: Steps described above (in Repro steps) completed successfully.

Impact

Persistent unauthorized access despite credential rotation - undermines the primary purpose of password changes as a remediation step. Enables attackers with an active session (remote or physical access to a device) to continue acting as the user (confidentiality and integrity impact). If session tokens are not bound to the credential state, forced password changes won’t terminate attacker sessions.

Resources OWASP Session Management Cheat Sheet CWE-613: Insufficient Session Expiration

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T20:50:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nFailure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure).\n\n### Details\nAfter a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who already has an active session (e.g., via a stolen session token, device left logged in, or other access) continues to be authenticated even after the legitimate user rotates credentials, allowing the attacker to retain access despite the user\u2019s password change.\n\n### PoC\n**Repro steps:**\n1. As logged in user on two browsers (ie. Chrome and Firefox, with incognito/private mode) https://cloud.flowiseai.com/account change password, on the Chrome for example\n2. Refresh the site on Firefox (second browser) - notice that still logged in (despite credentials were changed)\n\n**POC:**\nSteps described above (in Repro steps) completed successfully.\n\n### Impact\nPersistent unauthorized access despite credential rotation - undermines the primary purpose of password changes as a remediation step.\nEnables attackers with an active session (remote or physical access to a device) to continue acting as the user (confidentiality and integrity impact).\nIf session tokens are not bound to the credential state, forced password changes won\u2019t terminate attacker sessions.\n\n**Resources**\nOWASP Session Management Cheat Sheet\nCWE-613: Insufficient Session Expiration",
  "id": "GHSA-x7rp-qj2h-ghgw",
  "modified": "2025-11-14T20:50:36Z",
  "published": "2025-11-14T20:50:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x7rp-qj2h-ghgw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/pull/5294"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise Fails to Invalidate Existing Sessions After Password Changes"
}

GHSA-X855-7VWP-XJ8V

Vulnerability from github – Published: 2025-12-15 21:30 – Updated: 2025-12-15 21:30
VLAI
Details

IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36360"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-15T20:15:50Z",
    "severity": "MODERATE"
  },
  "details": "IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.",
  "id": "GHSA-x855-7vwp-xj8v",
  "modified": "2025-12-15T21:30:31Z",
  "published": "2025-12-15T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36360"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7254661"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X93J-3HH3-6X23

Vulnerability from github – Published: 2022-11-20 06:30 – Updated: 2022-11-21 23:55
VLAI
Summary
Insufficient Session Expiration in librenms/librenms
Details

Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T23:55:59Z",
    "nvd_published_at": "2022-11-20T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0.",
  "id": "GHSA-x93j-3hh3-6x23",
  "modified": "2022-11-21T23:55:59Z",
  "published": "2022-11-20T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/ce8e5f3d056829bfa7a845f9dc2757e21e419ddc"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/72d426bb-b56e-4534-88ba-0d11381b0775"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in librenms/librenms"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.