We found results for “”
WS-2023-0251
Good to know:
Date: July 5, 2023
An Insufficient Session Expiration exists in graylog server. After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore - but the session is still usable after logout. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out.The issue is fixed in versions 5.0.9 and 5.1.3.
Language: Java
Severity Score
Severity Score
Weakness Type (CWE)
Insufficient Session Expiration
CWE-613Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | LOW |
Integrity (I): | LOW |
Availability (A): | NONE |