CVE-2023-40537

CWE-613Insufficient Session Expiration4 documents4 sources
Severity
8.1HIGH
EPSS
0.4%
top 41.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
19
F5 Big-ipF5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall Manager+16 more
Timeline
PublishedOct 10

Description

An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages19 packages

CVEListV5f5/big-ip16.1.016.1.4+3
NVDf5/big-ip_websafe15.1.015.1.9+2
NVDf5/big-ip_analytics15.1.015.1.9+2
NVDf5/big-ip_webaccelerator15.1.015.1.9+2
NVDf5/big-ip_link_controller15.1.015.1.9+2

🔴Vulnerability Details

2
CVEList
Multi-blade VIPRION Configuration utility session cookie vulnerability2023-10-10
GHSA
GHSA-hp29-cwpv-2m4x: An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VI2023-10-10

📋Vendor Advisories

1
F5
CVE-2023-40537: An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configur...2023-10-10
CVE-2023-40537 (HIGH CVSS 8.1) | An authenticated user's session coo | cvebase.io