Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-40228 IBM DataPower Gateway session fixation — DataPower Gateway 3.7 Low2022-11-22
CVE-2022-4070 Insufficient Session Expiration in librenms/librenms — librenms/librenms 9.8 -2022-11-20
CVE-2022-3362 Insufficient Session Expiration in ikus060/rdiffweb — ikus060/rdiffweb 9.8 -2022-11-14
CVE-2022-3867 Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected — Nomad 2.7 Low2022-11-10
CVE-2022-39234 user session persists even after permanently deleting account in GLPI — glpi 4.7 Medium2022-11-03
CVE-2022-41672 Session still functional after user is deactivated — Apache Airflow 8.1 -2022-10-07
CVE-2022-2888 Insufficient Session Expiration in octoprint/octoprint — octoprint/octoprint 4.4 -2022-09-21
CVE-2022-2713 Insufficient Session Expiration in cockpit-hq/cockpit — cockpit-hq/cockpit 9.8 -2022-08-08
CVE-2022-35728 iControl REST vulnerability CVE-2022-35728 — BIG-IP 8.1 High2022-08-04
CVE-2022-31145 Insufficient AccessToken Expiration Check in FlyteAdmin — flyteadmin 6.5 Medium2022-07-13
CVE-2022-33137 Siemens SIMATIC 代码问题漏洞 — SIMATIC MV540 H 8.1 -2022-07-12
CVE-2022-2306 Insufficient Session Expiration in heroiclabs/nakama — heroiclabs/nakama 9.1 -2022-07-05
CVE-2022-31050 Insufficient Session Expiration in TYPO3 Admin Tool — typo3 6.0 Medium2022-06-14
CVE-2022-2064 Insufficient Session Expiration in nocodb/nocodb — nocodb/nocodb 9.8 -2022-06-13
CVE-2022-30277 BD Synapsys™ – Insufficient Session Expiration — BD Synapsys™ 5.7 Medium2022-06-01
CVE-2022-24042 多款Siemens产品代码问题漏洞 — Desigo DXR2 7.5 -2022-05-10
CVE-2021-27751 HCL Commerce is affected by an Insufficient Session Expiration vulnerability. — HCL Commerce 4.4 Medium2022-05-06
CVE-2022-23063 Shopizer - Insufficient Session Expiration — Shopizer 8.8 High2022-05-03
CVE-2021-3461 Red Hat Keycloak代码问题漏洞 — keycloak 8.1 -2022-04-01
CVE-2022-0991 Insufficient Session Expiration in admidio/admidio — admidio/admidio 7.2 -2022-03-19
CVE-2022-24743 Insufficient Session Expiration in Sylius — Sylius 7.1 High2022-03-14
CVE-2022-24744 Insufficient Session Expiration in shopware — platform 2.6 Low2022-03-09
CVE-2022-24732 Maddy Mail Server does not implement account expiry — maddy 6.3 Medium2022-03-09
CVE-2021-25992 ifme - Insufficient Session Expiration — ifme 9.8 Critical2022-02-10
CVE-2021-37866 Session is not invalidated on server-side when user logged out of Boards — Mattermost Boards 4.7 Medium2022-01-18
CVE-2022-22113 DayByDay CRM - Insufficient Session Expiration after Password Change — DaybydayCRM 8.8 High2022-01-13
CVE-2022-21652 Insufficient Session Expiration in shopware — shopware 3.5 Low2022-01-05
CVE-2021-25981 Talkyard - Insufficient Session Expiration — talkyard 9.8 Critical2022-01-03
CVE-2021-35034 Zyxel NBG6604 代码问题漏洞 — NBG6604 series firmware 7.4 High2021-12-29
CVE-2021-43791 Ineffective expiration validation for invitation links in Zulip — zulip 6.5 Medium2021-12-02

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.