User Session Refresh Token No Longer Expiring After Logout
CVE-2024-39809

8.8HIGH

Key Information:

Vendor: F5
Status: Big-ip Next Central Manager
Vendor: CVE Published:; 14 August 2024

Summary

A vulnerability exists in F5 Networks' Central Manager where the user session refresh token does not expire upon user logout. This flaw can potentially allow unauthorized access to user sessions, leading to privacy breaches and data exposure risks. It is important for organizations to ensure that their systems are updated and that configurations are reviewed to mitigate this risk, especially in light of versions that have reached End of Technical Support (EoTS) not being evaluated for this vulnerability.

Affected Version(s)

BIG-IP Next Central Manager 20.1.0 < 20.2.0

References

https://my.f5.com/manage/s/article/K000140111

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 14, 2024
Vulnerability Reserved
Jul 22, 2024

Key Information:

Summary

Affected Version(s)

References

CVSS V3.1

Timeline

Credit