CVE-2024-21492

All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.
Configurations

No configuration.

History

21 Nov 2024, 08:54

Type Values Removed Values Added
References () https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ - () https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ -
References () https://github.com/greenpau/caddy-security/issues/272 - () https://github.com/greenpau/caddy-security/issues/272 -
References () https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787 - () https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787 -

20 Feb 2024, 19:50

Type Values Removed Values Added
Summary
  • (es) Todas las versiones del paquete github.com/greenpau/caddy-security son vulnerables a una caducidad de sesión insuficiente debido a una invalidación incorrecta de la sesión del usuario al hacer clic en el botón "Cerrar sesión". Las sesiones de usuario siguen siendo válidas incluso después de enviar solicitudes a /logout y /oauth2/google/logout. Los atacantes que obtienen acceso a una sesión activa pero supuestamente cerrada pueden realizar acciones no autorizadas en nombre del usuario.

17 Feb 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-17 05:15

Updated : 2024-12-06 19:15


NVD link : CVE-2024-21492

Mitre link : CVE-2024-21492

CVE.ORG link : CVE-2024-21492


JSON object : View

Products Affected

No product.

CWE
CWE-613

Insufficient Session Expiration