logo

Database

Insecure session management In vantage6

Description

vantage6 refresh tokens do not expire From issue:

Problem description Currently, the refresh token is valid indefinitely. This is bad security practice.

Desired solution The refresh token should get a validity of 24-48 hours.

Additional context

When implementing this, also check that the refresh token returns a new refresh token When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid. When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.

Patches

None available

Workarounds

None available

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-239292. NVD-2023-239293. OSV-2023-239294. GHSA-4w59-c3gc-rrhp5. GCVE-2023-23929

References

1. https://github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp2. https://github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce83. https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-54.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.