User Session Refresh Token No Longer Expiring After Logout
CVE-2024-39809

8.8HIGH

Key Information:

Vendor: F5
Status: Big-ip Next Central Manager
Vendor: CVE Published:; 14 August 2024

What is CVE-2024-39809?

A vulnerability exists in F5 Networks' Central Manager where the user session refresh token does not expire upon user logout. This flaw can potentially allow unauthorized access to user sessions, leading to privacy breaches and data exposure risks. It is important for organizations to ensure that their systems are updated and that configurations are reviewed to mitigate this risk, especially in light of versions that have reached End of Technical Support (EoTS) not being evaluated for this vulnerability.

Affected Version(s)

BIG-IP Next Central Manager 20.1.0 < 20.2.0

References

https://my.f5.com/manage/s/article/K000140111

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 14, 2024
Vulnerability Reserved
Jul 22, 2024

F5

What is CVE-2024-39809?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit