Skip to main content

Insufficient Session Expiration

CVE-2021-3461

Severity High
Score 7.1/10

Summary

A flaw was found in keycloak before 13.0.1, where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

  • LOW
  • LOCAL
  • HIGH
  • UNCHANGED
  • REQUIRED
  • NONE
  • HIGH
  • NONE

CWE-613 - Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Advisory Timeline

  • Published