Insufficient Session Expiration

CVE-2022-37186

Medium

5.9/10

Summary

In LemonLDAP::NG before 2.0.15, some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-613 - Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

Release Note
Issue
Advisory
Mail Thread

Advisory Timeline

Published Apr 16, 2023

Insufficient Session Expiration

CVE-2022-37186

Summary

CWE-613 - Insufficient Session Expiration

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS