exploitDog

CVE-2024-1900

Опубликовано: 05 мар. 2024

Источник: nvd

CVSS3: 5.5

EPSS Низкий

Описание

Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365.

The user will stay authenticated until the Devolutions Server token expiration.

Ссылки

https://devolutions.net/security/advisories/DEVO-2024-0002
Vendor Advisory
https://devolutions.net/security/advisories/DEVO-2024-0002
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*

Версия до 2023.3.16.0 (включая)

EPSS

Процентиль: 24%

0.0008

Низкий

5.5 Medium

CVSS3

Дефекты

CWE-613

Связанные уязвимости

GHSA-m3gq-f9rc-qmwx

CVSS3: 5.5

github

почти 2 года назад

Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The user will stay authenticated until the Devolutions Server token expiration.

EPSS

Процентиль: 24%

0.0008

Низкий

5.5 Medium

CVSS3

Дефекты

CWE-613