Insufficient Session Expiration
CVE-2019-12421
Summary
When using an authentication mechanism other than PKI, when the user clicks Log Out in nifi-administration versions 1.0.0 to 1.9.2 and nifi-web-security up to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-613 - Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
References
Advisory Timeline
- Published