GHSA-vm6p-35rw-3fxc

Source

https://github.com/advisories/GHSA-vm6p-35rw-3fxc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-vm6p-35rw-3fxc/GHSA-vm6p-35rw-3fxc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vm6p-35rw-3fxc

Aliases

CVE-2022-2713

Published

2022-08-09T00:00:25Z

Modified

2023-11-08T04:08:56.146982Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Cockpit before 2.2.0 vulnerable to Insufficient Session Expiration

Details

Cockpit before version 2.2.0 is vulnerable to Insufficient Session Expiration. The application does not validate requests after password changes, allowing a user to change their account details even after an admin changes their password.

Database specific

{
    "nvd_published_at": "2022-08-08T15:15:00Z",
    "github_reviewed_at": "2022-08-18T19:14:08Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-613"
    ]
}

References

Affected packages

Packagist / aheinze/cockpit

Package

Name: aheinze/cockpit
Purl: pkg:composer/aheinze/cockpit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.0

Affected versions

0.*

0.6.0

0.6.1

0.6.2

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

0.8.11

0.9.0

0.9.1

0.9.2

0.9.3

0.10.0

0.10.1

0.10.2

0.11.0

0.11.1

0.11.2

0.12.0

0.12.1

0.12.2