Use of a Key Past its Expiration Date
CWE-324

CVE IDCVSSVendorExploitPatchTrends
CVE-2024-7318A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
CVSS 4.8Keycloak, et al

-

Patched

Trending graph for this CVE
CVE-2024-6299Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date
CVSS 3.7

-

-

Trending graph for this CVE
CVE-2024-38277A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.
CVSS LowMoodle

-

Patched

Trending graph for this CVE
CVE-2024-36031In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on instantiation The expiry time of a key is unconditionally overwritten during instantiation, defaulting to turn it permanent. This causes a problem for DNS resolution as the expiration set by user-space is overwritten to TIME64_MAX, disabling further DNS updates. Fix this by restoring the condition that key_set_expiry is only called when the pre-parser sets a specific expiry.
CVSS 9.8Linux

-

Patched

Trending graph for this CVE
CVE-2024-31895IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token. IBM X-Force ID: 288176.
CVSS 4.3Ibm

-

-

Trending graph for this CVE
CVE-2024-31894IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token. IBM X-Force ID: 288175.
CVSS 4.3Ibm

-

-

Trending graph for this CVE
CVE-2024-31893IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive calendar information using an expired access token. IBM X-Force ID: 288174.
CVSS 4.3Ibm

-

-

Trending graph for this CVE
CVE-2022-35401An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability.
CVSS 8.1

Exploit

-

Trending graph for this CVE
CVE-2022-24732Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms.
CVSS 8.8Maddy project

-

Patched

Trending graph for this CVE
CVE-2022-2447A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected.
CVSS 6.6Openstack, et al

Exploit

Patched

Trending graph for this CVE
CVE-2021-33020Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
CVSS 7.5Philips

-

Patched

Trending graph for this CVE
CVE-2019-3790The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
CVSS LowPivotal software

-

Patched

Trending graph for this CVE