logo

Database

Insecure session expiration time In github.com/greenpau/caddy-security

Description

Insufficient Session Expiration in github.com/greenpau/caddy-security All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-214922. NVD-2024-214923. OSV-2024-214924. GCVE-2024-21492

References

1. https://github.com/greenpau/caddy-security/issues/2722. https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.