Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-8888 Insufficient Session Expiration vulnerability on CIRCUTOR Q-SMT — CIRCUTOR Q-SMT 10.0 Critical2024-09-18
CVE-2024-38315 IBM Aspera Shares session fixation — Aspera Shares 6.3 Medium2024-09-16
CVE-2024-32006 Siemens SINEMA Remote Connect 安全漏洞 — SINEMA Remote Connect Client 4.3 Medium2024-09-10
CVE-2024-45187 Mage AI allows deleted users to use the terminal server with admin access, leading to remote code execution 7.1 High2024-08-23
CVE-2024-39809 BIG-IP Next Central Manager vulnerability — BIG-IP Next Central Manager 7.5 High2024-08-14
CVE-2022-45862 Fortinet多款产品 代码问题漏洞 — FortiPAM 3.5 Low2024-08-13
CVE-2022-38382 IBM Cloud Pak for Security session fixation — QRadar Suite Software 4.7 Medium2024-08-13
CVE-2024-42447 Apache Airflow Providers FAB: FAB provider 1.2.1 and 1.2.0 did not let user to logout for Airflow — Apache Airflow Providers FAB 9.1AICriticalAI2024-08-05
CVE-2023-26288 IBM Aspera Orchestrator session fixation — Aspera Orchestrator 5.5 Medium2024-07-30
CVE-2022-32759 IBM Security Directory Server information disclosure — Security Directory Integrator 5.3 Medium2024-07-25
CVE-2024-29070 Apache StreamPark: session not invalidated after logout — Apache StreamPark 6.5AIMediumAI2024-07-23
CVE-2024-41827 JetBrains TeamCity 安全漏洞 — TeamCity 7.4 High2024-07-22
CVE-2024-27782 Fortinet FortiAIOps 代码问题漏洞 — FortiAIOps 7.7 High2024-07-09
CVE-2024-5995 Soar Cloud HR Portal - Insufficient Session Expiration — HR Portal 8.8 High2024-06-14
CVE-2024-35206 Siemens SINEC Traffic Analyzer 代码问题漏洞 — SINEC Traffic Analyzer 7.7 High2024-06-11
CVE-2024-4680 Insufficient Session Expiration in zenml-io/zenml — zenml-io/zenml 9.1 -2024-06-08
CVE-2024-35220 @fastify/session reuses destroyed session cookie — session 7.4 High2024-05-21
CVE-2024-34709 Directus Lacks Session Tokens Invalidation — directus 5.4 Medium2024-05-13
CVE-2023-40695 IBM Cognos Controller session fixation — Cognos Controller 6.3 Medium2024-05-03
CVE-2024-22358 IBM UrbanCode Deploy session fixation — UrbanCode Deploy 6.3 Medium2024-04-12
CVE-2024-31999 @fastify/secure-session: Reuse of destroyed secure session cookie — fastify-secure-session 7.4 High2024-04-10
CVE-2024-31995 zcap has incomplete expiration checks in capability chains. — zcap 4.3 Medium2024-04-10
CVE-2024-30262 Contao's remember-me tokens will not be cleared after a password change — contao 5.9 Medium2024-04-09
CVE-2024-31447 Shopware has Improper Session Handling in store-api — shopware 5.3 Medium2024-04-08
CVE-2024-25954 Dell PowerScale OneFS 代码问题漏洞 — PowerScale OneFS 5.3 Medium2024-03-28
CVE-2024-1623 Insufficient session timeout vulnerability in Sagemcom router — FAST3686 V2 Vodafone 7.7 High2024-03-14
CVE-2023-45600 AiLux imx6 安全漏洞 — imx6 bundle 5.6 Medium2024-03-05
CVE-2024-21722 [20240201] - Core - Insufficient session expiration in MFA management views — Joomla! CMS 4.3 -2024-02-20
CVE-2023-50270 Apache DolphinScheduler: Session do not expire after password change — Apache DolphinScheduler 9.1AICriticalAI2024-02-20
CVE-2024-21492 caddy-security 安全漏洞 — github.com/greenpau/caddy-security 4.8 Medium2024-02-17

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.