CVE-2021-35473

CRITICAL Year: 2021
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-613
View all →

Vulnerability Description

An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired access token from an OIDC client to access the OAuth2 handler The earliest affected version is 2.0.4.

Related Vulnerabilities

CVE-2021-3144

CRITICAL
CVSS:9.1(Critical)

In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

CWE-6132021

CVE-2021-35034

CRITICAL
CVSS:9.1(Critical)

An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted.

CWE-6132021

CVE-2021-42545

CRITICAL
CVSS:9.1(Critical)

An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and ad...

CWE-6132021

CVE-2022-2064

CRITICAL
CVSS:9.1(Critical)

Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.

CWE-6132022

CVE-2022-24042

CRITICAL
CVSS:9.1(Critical)

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All ve...

CWE-6132022

CVE-2022-2782

CRITICAL
CVSS:9.1(Critical)

In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.

CWE-6132022