GHSA-vm6p-35rw-3fxc

Suggest an improvement
Source
https://github.com/advisories/GHSA-vm6p-35rw-3fxc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-vm6p-35rw-3fxc/GHSA-vm6p-35rw-3fxc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vm6p-35rw-3fxc
Aliases
Published
2022-08-09T00:00:25Z
Modified
2023-11-01T04:58:28.721616Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Cockpit before 2.2.0 vulnerable to Insufficient Session Expiration
Details

Cockpit before version 2.2.0 is vulnerable to Insufficient Session Expiration. The application does not validate requests after password changes, allowing a user to change their account details even after an admin changes their password.

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": "2022-08-08T15:15:00Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-613"
    ],
    "github_reviewed_at": "2022-08-18T19:14:08Z"
}
References

Affected packages

Packagist / aheinze/cockpit

Package

Name
aheinze/cockpit
Purl
pkg:composer/aheinze/cockpit

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.0

Affected versions

0.*
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-vm6p-35rw-3fxc/GHSA-vm6p-35rw-3fxc.json"