Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Spring Boot Misconfiguration: Overly long session timeout - Vulnerability Database

Spring Boot Misconfiguration: Overly long session timeout

Description

This vulnerability occurs when the server.servlet.session.timeout property in Spring Boot's configuration is set to a value exceeding 30 minutes. This configuration parameter controls how long user sessions remain active after the last interaction. The current configuration allows sessions to persist beyond the recommended security threshold, increasing the window of opportunity for session-based attacks.

Remediation

Configure the session timeout to 30 minutes or less by modifying the server.servlet.session.timeout property in your Spring Boot application properties file (application.properties or application.yml).

For application.properties:

server.servlet.session.timeout=30m
For application.yml:
server:
  servlet:
    session:
      timeout: 30m
Note: The timeout value can be specified in minutes (m), seconds (s), hours (h), or days (d). If no unit is specified, seconds are assumed. After making this change, restart your application for the configuration to take effect. Consider implementing even shorter timeouts (15-20 minutes) for applications handling sensitive data or financial transactions.

References

Spring Session - Spring Boot

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Unrestricted access to Haproxy Data Plane API High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Debugger Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

Medium

Classification

CWE-16
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration