Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-48317

Summary
Assigner-Tribe29
Assigner Org ID-f7d6281c-4801-44ce-ace2-493291dedb0f
Published At-20 Feb, 2023 | 16:55
Updated At-12 Mar, 2025 | 18:12
Rejected At-
Credits

Insecure Termination of RestAPI Session Tokens

Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Tribe29
Assigner Org ID:f7d6281c-4801-44ce-ace2-493291dedb0f
Published At:20 Feb, 2023 | 16:55
Updated At:12 Mar, 2025 | 18:12
Rejected At:
▼CVE Numbering Authority (CNA)
Insecure Termination of RestAPI Session Tokens

Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.

Affected Products
Vendor
tribe29 GmbHTribe29
Product
Checkmk
Default Status
unaffected
Versions
Affected
  • From 2.0.0 through 2.0.0p28 (semver)
  • From 2.1.0 through 2.1.0p10 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-613CWE-613 Insufficient Session Expiration
Type: CWE
CWE ID: CWE-613
Description: CWE-613 Insufficient Session Expiration
Metrics
VersionBase scoreBase severityVector
3.15.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 5.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-180CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC ID: CAPEC-180
Description: CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://checkmk.com/werk/14485
N/A
Hyperlink: https://checkmk.com/werk/14485
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://checkmk.com/werk/14485
x_transferred
Hyperlink: https://checkmk.com/werk/14485
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@checkmk.com
Published At:20 Feb, 2023 | 17:15
Updated At:23 Jul, 2024 | 19:37

Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.15.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 5.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CPE Matches
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:-:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b1:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b2:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b3:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b4:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b5:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b6:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b7:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b8:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:b9:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p1:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p10:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p2:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p3:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p4:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p5:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p6:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p7:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p8:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.1.0
cpe:2.3:a:checkmk:checkmk:2.1.0:p9:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:-:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:b1:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:b2:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:b3:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:b4:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:b5:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:b6:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:b7:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:b8:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:i1:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p1:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p10:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p11:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p12:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p13:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p14:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p15:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p16:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p17:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p18:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p19:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p2:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p20:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p21:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p22:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p23:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p24:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p25:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p26:*:*:*:*:*:*
Checkmk GmbH
checkmk
>>checkmk>>2.0.0
cpe:2.3:a:checkmk:checkmk:2.0.0:p27:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-613Primarynvd@nist.gov
CWE-613Secondarysecurity@checkmk.com
CWE ID: CWE-613
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-613
Type: Secondary
Source: security@checkmk.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://checkmk.com/werk/14485security@checkmk.com
Vendor Advisory
Hyperlink: https://checkmk.com/werk/14485
Source: security@checkmk.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

58Records found
CVE-2022-35728
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-8.1||HIGH
EPSS-0.68% / 70.64%
||
7 Day CHG~0.00%
Published-04 Aug, 2022 | 17:49
Updated-16 Sep, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iControl REST vulnerability CVE-2022-35728

In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-big-ip_application_acceleration_managerbig-ip_link_controllerbig-ip_policy_enforcement_managerbig-ip_fraud_protection_servicebig-iq_centralized_managementbig-ip_global_traffic_managerbig-ip_analyticsbig-ip_access_policy_managerbig-ip_domain_name_systembig-ip_local_traffic_managerbig-ip_advanced_firewall_managerbig-ip_application_security_managerBIG-IQ Centralized ManagementBIG-IP
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2022-3362
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 22.48%
||
7 Day CHG~0.00%
Published-14 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Session Expiration in ikus060/rdiffweb

Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.

Action-Not Available
Vendor-IKUS Software
Product-rdiffwebikus060/rdiffweb
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2021-25979
Matching Score-4
Assigner-Mend
ShareView Details
Matching Score-4
Assigner-Mend
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.62%
||
7 Day CHG~0.00%
Published-08 Nov, 2021 | 14:20
Updated-30 Apr, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apostrophe - Insufficient Session Expiration

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

Action-Not Available
Vendor-apostrophecmsApostrophe
Product-apostrophecmsApostrophe
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2020-8234
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-1.80% / 82.02%
||
7 Day CHG~0.00%
Published-21 Aug, 2020 | 20:37
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection.

Action-Not Available
Vendor-n/aUbiquiti Inc.
Product-es-16-xges-24-250wes-48-liteep-s16es-24-500wedgemax_firmwarees-8-150wes-24-litees-16-150wes-48-750wes-48-500wes-12fEdgeSwitch firmware v1.9.0 and prior
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2020-29667
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.44% / 88.61%
||
7 Day CHG~0.00%
Published-10 Dec, 2020 | 08:07
Updated-04 Aug, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.

Action-Not Available
Vendor-lanatmservicen/a
Product-m3_atm_monitoring_systemn/a
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2020-35358
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.48% / 80.16%
||
7 Day CHG~0.00%
Published-15 Mar, 2021 | 11:55
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality.

Action-Not Available
Vendor-domainmodn/a
Product-domainmodn/a
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2020-27416
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.73% / 71.67%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 18:36
Updated-04 Aug, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.

Action-Not Available
Vendor-mahadiscomn/a
Product-mahavitarann/a
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2020-17474
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 58.43%
||
7 Day CHG~0.00%
Published-14 Aug, 2020 | 19:22
Updated-04 Aug, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-facedepot_7b_firmwarezkbiosecurity_serverfacedepot_7bn/a
CWE ID-CWE-613
Insufficient Session Expiration
  • Previous
  • 1
  • 2
  • Next
Details not found