Lucene search

MendCVELIST:CVE-2021-25992

HistoryFeb 10, 2022 - 9:55 a.m.

CVE-2021-25992 ifme - Insufficient Session Expiration

2022-02-1009:55:09

CWE-613

Mend

www.cve.org

cve-2021-25992

ifme

session expiration

admin cookies

security issue

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.002

Percentile

62.2%

JSON

In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.

CNA Affected

[
  {
    "product": "ifme",
    "vendor": "ifmeorg",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "1.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v7.33.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/ifmeorg/ifme/commit/014f6d3526a594109d4d6607c2f30b1865e37611

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25992

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.002

Percentile

62.2%

JSON

Related for CVELIST:CVE-2021-25992