Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2021-36330 Dell Emc Streaming Data Platform代码问题漏洞 — Dell EMC Streaming Data Platform 8.1 High2021-11-30
CVE-2021-42545 Insufficient Session Expiration in TopEase — TopEase 8.1 High2021-11-30
CVE-2021-25985 FactorJS - Insufficient Session Expiration Leads to a Local Account Takeover — Factor 7.8 High2021-11-16
CVE-2021-25940 ArangoDB - Insufficient Session Expiration after Password Change — arangodb 8.8 High2021-11-16
CVE-2021-25979 Apostrophe - Insufficient Session Expiration — Apostrophe 9.8 Critical2021-11-08
CVE-2021-41247 incomplete logout in JupyterHub — jupyterhub 3.5 Low2021-11-04
CVE-2021-34739 Cisco Small Business Series Switches Session Credentials Replay Vulnerability — Cisco Small Business Smart and Managed Switches 8.1 High2021-11-04
CVE-2021-25970 Camaleon CMS - Insufficient Session Expiration after Password Change — camaleon_cms 8.8 High2021-10-20
CVE-2021-25966 Orchard Core CMS - Improper Session Termination after Password Change — Users 8.8 High2021-10-10
CVE-2021-34428 Eclipse Jetty 代码问题漏洞 — Eclipse Jetty 2.9 Low2021-06-22
CVE-2021-22136 Elastic Stack Kibana 代码问题漏洞 — Kibana 2.4 -2021-05-13
CVE-2021-1501 Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software SIP Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 8.6 High2021-04-29
CVE-2021-31408 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19 — Vaadin 6.3 Medium2021-04-23
CVE-2019-3867 RED HAT Quay web application 代码问题漏洞 — quay 8.3 -2021-03-18
CVE-2021-21032 Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access — Magento Commerce 6.5 -2021-02-11
CVE-2021-21031 Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access — Magento.com 5.6 -2021-02-11
CVE-2020-15220 Session fixation — iTop 6.1 Medium2021-01-13
CVE-2020-15218 Admin pages are cached and can be embedded — iTop 6.8 Medium2021-01-13
CVE-2020-8234 EdgeMax EdgeSwitch 代码问题漏洞 — EdgeSwitch firmware v1.9.0 and prior 7.2 -2020-08-21
CVE-2020-1776 Invalidating or changing user does not invalidate session — ((OTRS)) Community Edition 3.5 Low2020-07-20
CVE-2020-6292 SAP Disclosure Management 代码问题漏洞 — SAP Disclosure Management 8.8 -2020-07-14
CVE-2020-1724 Red Hat Keycloak 代码问题漏洞 — keycloak 4.3 Medium2020-05-11
CVE-2020-1762 Kiali 授权问题漏洞 — kiali 7.0 High2020-04-27
CVE-2020-1768 External Interface does not invalidate session — OTRS 5.4 Medium2020-02-07
CVE-2019-5647 Rapid7 AppSpider Chrome Plugin Insufficient Session Expiration — AppSpider 4.4 Medium2020-01-22
CVE-2019-14826 Red Hat FreeIPA 代码问题漏洞 — ipa 6.5 -2019-09-17
CVE-2019-5638 Rapid7 Nexpose Insufficient Session Management — Nexpose 8.7 High2019-08-21
CVE-2018-1127 Red Hat Gluster Storage Tendrl API 安全漏洞 — Red Hat Gluster Storage 8.1 -2018-09-11
CVE-2016-6545 iTrack Easy does not use session cookies to maintain sessions and POSTs the users password over HTTPS for each request — Easy 9.8 -2018-07-13
CVE-2017-12159 Red Hat Keycloak 安全漏洞 — keycloak 6.5 -2017-10-26

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.