Insufficient Session Expiration in snipe/snipe-it · CVE-2022-2997 · GitHub Advisory Database · GitHub

Insufficient Session Expiration in snipe/snipe-it

Moderate severity GitHub Reviewed Published Aug 26, 2022 to the GitHub Advisory Database • Updated Jan 29, 2023

Package

snipe/snipe-it (Composer)

Affected versions

< 6.0.10

Patched versions

6.0.10

Description

Session Fixation in GitHub repository snipe/snipe-it prior to version 6.0.10. The session is not invalidated after a password change.

References

Published by the National Vulnerability Database

Aug 25, 2022

Published to the GitHub Advisory Database Aug 26, 2022

Reviewed Aug 30, 2022

Last updated Jan 29, 2023

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N