CVE-2022-4070: 
PHP vulnerability analysis and mitigation

CVE-2022-4070 is a session expiration vulnerability discovered in LibreNMS versions prior to 22.10.0. The vulnerability was identified in the GitHub repository librenms/librenms and relates to insufficient session expiration handling (NVD).

The vulnerability is classified as CWE-613 (Insufficient Session Expiration) and received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. However, the original reporter (huntr.dev) assessed it with a lower CVSS score of 2.7 (LOW) with vector string CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability could allow disabled users to remain authenticated through their session cookies, potentially bypassing intended access restrictions. This could lead to unauthorized access to system resources even after a user account has been disabled (GitHub Commit).

The vulnerability was fixed in LibreNMS version 22.10.0. The patch implements proper session invalidation for disabled users by adding middleware verification and forcing logout when a disabled user attempts to access the system (GitHub Commit).