Vulnerabilities > CVE-2024-25718 - Insufficient Session Expiration vulnerability in Dropbox Samly
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
References
- https://diff.hex.pm/diff/samly/1.3.0..1.4.0
- https://diff.hex.pm/diff/samly/1.3.0..1.4.0
- https://github.com/dropbox/samly
- https://github.com/dropbox/samly
- https://github.com/dropbox/samly/pull/13
- https://github.com/dropbox/samly/pull/13
- https://github.com/dropbox/samly/pull/13/commits/812b5c3ad076dc9c9334c1a560c8e6470607d1eb
- https://github.com/dropbox/samly/pull/13/commits/812b5c3ad076dc9c9334c1a560c8e6470607d1eb
- https://github.com/handnot2/samly
- https://github.com/handnot2/samly
- https://hex.pm/packages/samly
- https://hex.pm/packages/samly