Threats Tagged 'cwe-613'

Rocket.Chat versions prior to 7.10.12, 7.13.8, 8.0.6, 8.1.5, 8.2.4, 8.3.4, 8.4.2, and 8.5.0 do not revoke OAuth bearer or refresh tokens when a user is deactivated. This allows a deactivated user to continue using existing OAuth access tokens and mint new access tokens from existing refresh tokens. The issue is addressed in the specified fixed versions.

Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 allow users deactivated for idleness to continue using previously issued login tokens. This insufficient session expiration issue enables inactive users to access authenticated REST endpoints despite administrative deactivation. The vulnerability is classified under CWE-613 and has a low CVSS score of 2.3. Fixes have been released in the specified versions.

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. From 0.101.0 until 0.184.0, sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. This vulnerability is fixed in 0.184.0.

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0.

HCL Software iControl version 4.2.0 is affected by an insufficient session expiration vulnerability (CWE-613). This issue occurs when the web application does not automatically terminate user sessions after a period of inactivity, potentially allowing sessions to remain active longer than intended. The vulnerability has a low severity rating with a CVSS score of 3.1. No official patch or remediation guidance has been provided by the vendor at this time.

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain persistent access to authenticated CMS functionality, bypassing the intended session termination mechanism and enabling unauthorized access to CMS metadata and administrative functions. Version 26.0.0 fixes the issue.

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.