← Back
2025-10-30 21:44CVE-2024-13996VulnCheck
PUBLISHED5.2CWE-613

Nagios XI < 2024R1.1.3 Session Not Invalidated After Password Change

Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.

Problem type

Affected products

Nagios

XI

< 2024R1.1.3 - UNKNOWN

References

nagios.com

https://www.nagios.com/products/security/#nagios-xi

vendor-advisorypatch
nagios.com

https://www.nagios.com/changelog/nagios-xi/

release-notespatch
vulncheck.com

https://www.vulncheck.com/advisories/nagios-xi-session-not-invalidated-after-password-change

third-party-advisory

JSON source

Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2024-13996",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-10-31T13:55:58.885Z",
    "dateReserved": "2025-10-22T17:12:46.391Z",
    "datePublished": "2025-10-30T21:44:26.053Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-10-30T21:44:26.053Z"
      },
      "title": "Nagios XI < 2024R1.1.3 Session Not Invalidated After Password Change",
      "descriptions": [
        {
          "lang": "en",
          "value": "Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "Nagios XI versions prior to&nbsp;2024R1.1.3&nbsp;did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.<br>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Nagios",
          "product": "XI",
          "modules": [
            "Authentication / Session Management"
          ],
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "unknown",
              "versionType": "custom",
              "lessThan": "2024R1.1.3"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-613 Insufficient Session Expiration",
              "cweId": "CWE-613",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.nagios.com/products/security/#nagios-xi",
          "tags": [
            "vendor-advisory",
            "patch"
          ]
        },
        {
          "url": "https://www.nagios.com/changelog/nagios-xi/",
          "tags": [
            "release-notes",
            "patch"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/nagios-xi-session-not-invalidated-after-password-change",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Nagios addresses this vulnerability as \"When changing a user's password, Nagios XI did not invalidate all other existing sessions for that user\" and \"Fixed an issue where a password change wouldn’t invalidate other sessions.\"",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<span style=\"background-color: rgb(255, 255, 255);\">Nagios addresses this vulnerability as \"</span><span style=\"background-color: rgb(255, 255, 255);\">When changing a user's password, Nagios XI did not invalidate all other existing sessions for that user\" and \"Fixed an issue where a password change wouldn’t invalidate other sessions.\"</span><br>"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jack Eli",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-10-31T13:55:58.885Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}

Mitre source

https://cveawg.mitre.org/api/cve/CVE-2024-13996