Miggo Logo
Miggo Vulnerability Database
CVE-2023-1543

CVE-2023-1543:
Answer vulnerable to Insufficient Session Expiration

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-1543
GHSA ID
GHSA-79hx-g43v-xfmr
EPSS Score
0.19725%
CWE
CWE-613
Published
3/21/2023
Updated
3/23/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/answerdev/answergo< 1.0.61.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete session invalidation during logout. The patch adds 'RemoveAdminUserCacheInfo' to the logout flow, indicating the original UserLogout function in user_controller.go only cleared regular user cache (via RemoveUserCacheInfo) but not admin privileges cache. This left admin access tokens valid after logout, creating insufficient session expiration. The direct correlation between the CWE-613 description, commit message about admin cache removal, and the specific code change in the logout handler provides high confidence in this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Insu**i*i*nt S*ssion *xpir*tion in *it*u* r*pository *nsw*r**v/*nsw*r prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* s*ssion inv*li**tion *urin* lo*out. T** p*t** ***s 'R*mov***minUs*r*****In*o' to t** lo*out *low, in*i**tin* t** ori*in*l Us*rLo*out *un*tion in us*r_*ontroll*r.*o only *l**r** r**ul*r us*r ***** (vi* R*mov*Us*