Skip to main content

Insufficient Session Expiration


Severity High
Score 8.8/10


When using an authentication mechanism other than PKI, when the user clicks Log Out in nifi-administration versions 1.0.0 to 1.9.2 and nifi-web-security up to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.

  • LOW
  • HIGH
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-613 - Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Advisory Timeline

  • Published