Total
316 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2713 | 1 Agentejo | 1 Cockpit | 2024-02-28 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0. | |||||
| CVE-2022-31677 | 1 Vmware | 1 Pinniped | 2024-02-28 | N/A | 5.4 MEDIUM |
| An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow. | |||||
| CVE-2022-39234 | 1 Glpi-project | 1 Glpi | 2024-02-28 | N/A | 8.8 HIGH |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
| CVE-2022-35728 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2024-02-28 | N/A | 5.4 MEDIUM |
| devhub 0.102.0 was discovered to contain a broken session control. | |||||
| CVE-2022-3362 | 1 Ikus-soft | 1 Rdiffweb | 2024-02-28 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0. | |||||
| CVE-2022-2782 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 9.1 CRITICAL |
| In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | |||||
| CVE-2022-30699 | 2 Fedoraproject, Nlnetlabs | 2 Fedora, Unbound | 2024-02-28 | N/A | 6.5 MEDIUM |
| NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten. | |||||
| CVE-2022-30698 | 2 Fedoraproject, Nlnetlabs | 2 Fedora, Unbound | 2024-02-28 | N/A | 6.5 MEDIUM |
| NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information. | |||||
| CVE-2022-41291 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2024-02-28 | N/A | 6.5 MEDIUM |
| IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699. | |||||
| CVE-2022-40230 | 1 Ibm | 1 Mq Appliance | 2024-02-28 | N/A | 6.5 MEDIUM |
| "IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532." | |||||
| CVE-2022-2888 | 1 Octoprint | 1 Octoprint | 2024-02-28 | N/A | 4.4 MEDIUM |
| If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. | |||||
| CVE-2022-2306 | 1 Heroiclabs | 1 Nakama | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Old session tokens can be used to authenticate to the application and send authenticated requests. | |||||
| CVE-2022-3867 | 1 Hashicorp | 1 Nomad | 2024-02-28 | N/A | 4.3 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. | |||||
| CVE-2022-34624 | 1 Mealie | 1 Mealie | 2024-02-28 | N/A | 5.9 MEDIUM |
| Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request. | |||||
| CVE-2022-41672 | 1 Apache | 1 Airflow | 2024-02-28 | N/A | 8.1 HIGH |
| In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | |||||
| CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-02-28 | N/A | 8.8 HIGH |
| Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
| CVE-2022-33137 | 1 Siemens | 12 Simatic Mv540 H, Simatic Mv540 H Firmware, Simatic Mv540 S and 9 more | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
| A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions. | |||||
| CVE-2019-5641 | 1 Rapid7 | 1 Insightvm | 2024-02-28 | N/A | 5.3 MEDIUM |
| Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | |||||
| CVE-2022-31145 | 1 Flyte | 1 Flyteadmin | 2024-02-28 | N/A | 6.5 MEDIUM |
| FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet. | |||||