Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseGHSA-gj7p-595x-qwf5
GHSA-gj7p-595x-qwf5:
Java vulnerability analysis and mitigation
Affected Components
DSF FHIR Server with enabled OIDC authentication. DSF BPE Server with enabled OIDC authentication.
Summary
OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.
Impact
If a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user's permissions. This is a realistic threat in hospital environments with shared workstations. Only affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.
Fix (commits f4ecb00, 7d25fea)
- Added configurable session timeout via
dev.dsf.server.auth.oidc.session.timeout(default:PT30M). - Enabled
logoutWhenIdTokenIsExpired(true)in OpenID configuration to tie session lifetime to token lifetime. - Websocket sessions are now closed with
VIOLATED_POLICYwhen credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.
Source: NVD
Related Java vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management