CVE-2024-29070
July 23, 2024, 9:15 a.m.
Tags
Product(s) Impacted
UNKNOWN
- 2.1.4 and above
Description
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4
Weaknesses
CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CWE ID: 613Date
Published: July 23, 2024, 9:15 a.m.
Last Modified: July 23, 2024, 9:15 a.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security@apache.org
References
security@apache.org