CVE-2022–41542 Session Mis-Configuration in Devhub Application
Session Misconfiguration is widely popular vulnerability.
Vulnerability Category: A5-Broken Access Control
Vulnerability Description: The application does not properly invalidate a user’s session on the server after the user initiates logout. User sessions remain active on the server, and any requests submitted including the user’s session identifier will execute successfully, as though the user had made those requests.
Impact: An attacker can use previous used or available session token to login into application.
Recommendation: The user’s HTTP session should be terminated on the server immediately after a logout action is performed. It is important to note that simply deleting the cookie from the browser will not terminate the server session. The session must be invalidated at the server, using the HTTP container’s intrinsic session abandonment mechanism.
Severity : Low
CVSS v3.0 Score: 3.8
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
How to Test:
2. Sign in using Credentials for Github Account.
3. Click on Profile photo on top left corner
4. It will redirect to Github Profile
5. Click on Sign out
You will be Signed Out
You will still find the Session of DevHub not terminated and do the work on the application
Session not getting expired post logout