Insufficient Session Expiration Vulnerability Affects Caddy Security
CVE-2024-21492

4.8MEDIUM

Key Information:

Vendor: github.com/greenpau/caddy-security
Status: Github.com/greenpau/caddy-security
Vendor: CVE Published:; 17 February 2024

🔔 Create github.com/greenpau/caddy-security Vulnerability Alert

What is CVE-2024-21492?

All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.

Affected Version(s)

github.com/greenpau/caddy-security 0

References

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENP...

https://blog.trailofbits.com/2023/09/18/security-flaws-in...

https://github.com/greenpau/caddy-security/issues/272

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Maciej Domanski

Travis Peters

David Pokora