CVE-2023-0227
published 2023-01-12CVE-2023-0227: Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.
PriorityP430medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.66%
46.7th percentile
Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev36 | 0.5.0b3.dev36 |
| pyload-ng_project | pyload-ng | 0 – 0.5.0b3.dev97 | — |
| pyload | pyload | < 2023-01-12 | 2023-01-12 |
| pyload | pyload_pyload | >= unspecified < 0.5.0b3.dev36 | 0.5.0b3.dev36 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
ghsa6.5MEDIUM
vendor_oracle7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
ghsa·2026-04-14·CVSS 6.5
[MEDIUM] CWE-613 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
### Summary
pyLoad caches `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database.
As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions.
This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature.
### Details
The WebUI auth flow stores authorization state in session:
- `src/pyload/webui/app/helpers.py:187-200`
- `set_session(...)` writes:
- `"role": user_info["role"]`
- `"perms": user_info["permission"]`
Authorization checks
OSV
Pyload Insufficient Session Expiration vulnerability
osv·2023-01-12
CVE-2023-0227 [MEDIUM] Pyload Insufficient Session Expiration vulnerability
Pyload Insufficient Session Expiration vulnerability
Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.
GHSA
Pyload Insufficient Session Expiration vulnerability
ghsa·2023-01-12
CVE-2023-0227 [MEDIUM] CWE-613 Pyload Insufficient Session Expiration vulnerability
Pyload Insufficient Session Expiration vulnerability
Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.
Oracle
Oracle Oracle Analytics Risk Matrix: Installation (Apache Axis) — CVE-2019-0227
vendor_oracle·2023-07-15·CVSS 7.5
CVE-2019-0227 [HIGH] Oracle Oracle Analytics Risk Matrix: Installation (Apache Axis) — CVE-2019-0227
Oracle Oracle Analytics Risk Matrix: Installation (Apache Axis) vulnerability
CVE: CVE-2019-0227
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Adjacent
Network
Advisory: cpujul2023 (JUL 2023)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-01-12
Published