Lucene search

GitHub Advisory DatabaseGHSA-VP66-GF7W-9M4X

HistoryFeb 17, 2024 - 6:30 a.m.

Insufficient Session Expiration in github.com/greenpau/caddy-security

2024-02-1706:30:34

CWE-613

GitHub Advisory Database

github.com

github.com/greenpau/caddy-security

vulnerability

insufficient session expiration

improper user session invalidation

sign out

unauthorized actions

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the “Sign Out” button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.

Affected configurations

Vulners

Node

github.com\/greenpau\/caddysecurityRange≤1.1.23

CPENameOperatorVersion
github.com/greenpau/caddy-securityle1.1.23

CPE	Name	Operator	Version
	github.com/greenpau/caddy-security	le	1.1.23

References

blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy

github.com/advisories/GHSA-vp66-gf7w-9m4x

github.com/greenpau/caddy-security/issues/272

nvd.nist.gov/vuln/detail/CVE-2024-21492

security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for GHSA-VP66-GF7W-9M4X