DSF OIDC Session Missing Timeout Vulnerability (CVE-2024-4039)

Vulnerability Summary: OIDC Session Lacks Timeout Configuration Overview In OpenID Connect (OIDC) authentication, the session is not configured with a maximum inactivity timeout. This means the session persists indefinitely after login, even if the OIDC access token has expired. Impact Scope Affected Components: - (Maven) < 2.1.0 - (Maven) < 2.1.0 - (Maven) < 2.1.0 Specific Impacts: - If a user logs in via OIDC and leaves the browser without explicitly logging out, the session remains valid. - Another person can use the same browser to access the DSF UI and operate with the previous user's privileges. - This poses a realistic threat when used in hospital environments with shared workstations. - Only affects OIDC browser sessions; does not apply to mTLS machine-to-machine communication. Remediation Commits: , Fix Details: - Added a configurable session timeout via (default: PT30M). - Enabled in the OpenID configuration to restrict session lifetime to the token lifetime. - WebSocket sessions now close on when credentials expire, preventing stale WebSocket connections from continuing to receive events. Additional Information Severity: Medium (6.8 / 10) CVSS v4 Base Metrics: - Attack Vector: Physical - Attack Complexity: Low - Attack Requirements: None - Privileges Required: None - User Interaction: None - System Impact Metrics: - Confidentiality: High - Integrity: High - Availability: None - Subsequent System Impact Metrics: - Confidentiality: None - Integrity: None - Availability: None CVE ID: CVE-2024-4039 Weakness: CWE-613

Goal Reached Thanks to every supporter — we hit 100%!

DSF OIDC Session Missing Timeout Vulnerability (CVE-2024-4039)

More from this source