On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout.
Mitigation:
all users should upgrade to 2.1.4
CVSS
No CVSS.
References
Configurations
No configuration.
History
No history.
Information
Published : 2024-07-23 09:15
Updated : 2024-07-24 12:55
NVD link : CVE-2024-29070
Mitre link : CVE-2024-29070
CVE.ORG link : CVE-2024-29070
JSON object : View
Products Affected
No product.
CWE
CWE-613
Insufficient Session Expiration