CVE-2024-1900
MEDIUMDevolutions Server < 2023.3.16.0 - Authenticated Insufficient Session Expiration in Identity Provider Flow
Title source: llmDescription
Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The user will stay authenticated until the Devolutions Server token expiration.
References (1)
Core 1
Core References
Vendor Advisory
https://devolutions.net/security/advisories/DEVO-2024-0002
Scores
CVSS v3
5.5
EPSS
0.0023
EPSS Percentile
13.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-613
Status
published
Products (1)
devolutions/devolutions_server
< 2023.3.16.0
Published
Mar 05, 2024
Tracked Since
Feb 18, 2026