CVE-2024-29070

July 23, 2024, 9:15 a.m.

Tags

security@apache.org
CWE-613
2024-07-23
CVE-2024-29070

Product(s) Impacted

UNKNOWN

  • 2.1.4 and above

Description

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4

Weaknesses

CWE-613
Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

CWE ID: 613

Date

Published: July 23, 2024, 9:15 a.m.

Last Modified: July 23, 2024, 9:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

References

https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl
security@apache.org