CVE-2021-35342

Published: Aug 27, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification cache is enabled).

Affected (2)

Products: Northern.tech: Useradm

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Northern.tech Useradm	Version 1.14.0

Running on/with	Platform Versions
Northern.tech Mender	From 2.7.0 to 2.7.1

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Northern.tech Useradm	Version 1.13.0

Running on/with	Platform Versions
Northern.tech Mender	From 2.6.0 to 2.6.1

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (4)

https://mender.io/blog/cve-2021-35342-useradm-logout-vulnerabililty

Source: cve@mitre.org

Third Party Advisory

https://northern.tech/our-products

Source: cve@mitre.org

ProductVendor Advisory

https://mender.io/blog/cve-2021-35342-useradm-logout-vulnerabililty

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://northern.tech/our-products

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.