Vulnerabilities > CVE-2019-5647 - Insufficient Session Expiration vulnerability in Rapid7 Appspider

CVSS 7.1 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

local

low complexity

rapid7

CWE-613

NVD

Published: 2020-01-22

Updated: 2020-01-30

Summary

The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue affects Rapid7 AppSpider version 3.8.213 and prior versions, and is fixed in version 3.8.215.

Vulnerable Configurations

Part	Description	Count
Application	Rapid7 Rapid7 Appspider 3.8.189 Rapid7 Appspider 3.8.196 Rapid7 Appspider 3.8.197 Rapid7 Appspider 3.8.198 Rapid7 Appspider 3.8.199 Rapid7 Appspider 3.8.200 Rapid7 Appspider 3.8.201 Rapid7 Appspider 3.8.202 Rapid7 Appspider 3.8.203 Rapid7 Appspider 3.8.204 Rapid7 Appspider 3.8.205 Rapid7 Appspider 3.8.206 Rapid7 Appspider 3.8.207 Rapid7 Appspider 3.8.209 Rapid7 Appspider 3.8.210 Rapid7 Appspider 3.8.211 Rapid7 Appspider 3.8.212 Rapid7 Appspider 3.8.213	18

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

References

https://help.rapid7.com/appspiderenterprise/release-notes/?rid=3.8.215