CVE-2024-21492

All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
https://github.com/greenpau/caddy-security/issues/272
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5920787

Configurations

No configuration.

History

20 Feb 2024, 19:50

Type	Values Removed	Values Added
Summary		(es) Todas las versiones del paquete github.com/greenpau/caddy-security son vulnerables a una caducidad de sesión insuficiente debido a una invalidación incorrecta de la sesión del usuario al hacer clic en el botón "Cerrar sesión". Las sesiones de usuario siguen siendo válidas incluso después de enviar solicitudes a /logout y /oauth2/google/logout. Los atacantes que obtienen acceso a una sesión activa pero supuestamente cerrada pueden realizar acciones no autorizadas en nombre del usuario.

17 Feb 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-17 05:15

Updated : 2024-02-20 19:50

NVD link : CVE-2024-21492

Mitre link : CVE-2024-21492

CVE.ORG link : CVE-2024-21492

JSON object : View

Products Affected

No product.

CWE

CWE-613

Insufficient Session Expiration

4.8 /10