CVE-2019-14826

A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.

Published : 2019-09-17 16:15 Updated : 2019-10-09 23:46

2.1
CVSS Score More info
Score 2.1 / 10
2.1
Vendor Product Version URI
Freeipa Freeipa 4.5.0 cpe:/a:freeipa:freeipa:4.5.0
Freeipa Freeipa 4.5.1 cpe:/a:freeipa:freeipa:4.5.1
Freeipa Freeipa 4.5.2 cpe:/a:freeipa:freeipa:4.5.2
Freeipa Freeipa 4.5.3 cpe:/a:freeipa:freeipa:4.5.3
Freeipa Freeipa 4.5.4 cpe:/a:freeipa:freeipa:4.5.4
Freeipa Freeipa 4.6.0 cpe:/a:freeipa:freeipa:4.6.0
Freeipa Freeipa 4.6.1 cpe:/a:freeipa:freeipa:4.6.1
Freeipa Freeipa 4.6.2 cpe:/a:freeipa:freeipa:4.6.2
Freeipa Freeipa 4.6.3 cpe:/a:freeipa:freeipa:4.6.3
Freeipa Freeipa 4.6.4 cpe:/a:freeipa:freeipa:4.6.4
Freeipa Freeipa 4.6.5 cpe:/a:freeipa:freeipa:4.6.5
Freeipa Freeipa 4.6.90 cpe:/a:freeipa:freeipa:4.6.90:pre1
Freeipa Freeipa 4.6.90 cpe:/a:freeipa:freeipa:4.6.90:pre2
Freeipa Freeipa 4.7.0 cpe:/a:freeipa:freeipa:4.7.0
Freeipa Freeipa 4.7.1 cpe:/a:freeipa:freeipa:4.7.1
Freeipa Freeipa 4.7.2 cpe:/a:freeipa:freeipa:4.7.2
Freeipa Freeipa 4.7.90 cpe:/a:freeipa:freeipa:4.7.90:pre1
Freeipa Freeipa 4.8.0 cpe:/a:freeipa:freeipa:4.8.0
Redhat Enterprise Linux 7.0 cpe:/o:redhat:enterprise_linux:7.0
Redhat Enterprise Linux 8.0 cpe:/o:redhat:enterprise_linux:8.0
  1. Redhat (1) Search CVE
    1. Enterprise Linux (2) Search CVE
      1. 7.0
      2. 8.0
  2. Freeipa (1) Search CVE
    1. Freeipa (17) Search CVE
      1. 4.5.0
      2. 4.5.1
      3. 4.5.2
      4. 4.5.3
      5. 4.5.4
      6. 4.6.0
      7. 4.6.1
      8. 4.6.2
      9. 4.6.3
      10. 4.6.4
      11. 4.6.5
      12. 4.6.90
      13. 4.7.0
      14. 4.7.1
      15. 4.7.2
      16. 4.7.90
      17. 4.8.0

CWE

ID Name Description Links
CWE-613 Insufficient Session Expiration According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." CVE

History of changes

Date Event
2019-09-20 12:50
2019-09-17 17:05

New CVE