Mitigation Strategies

To mitigate this vulnerability, upgrade the Data Sharing Framework (DSF) to version 2.1.0 or later, where the issue with OIDC-authenticated sessions persisting indefinitely has been fixed by configuring a maximum inactivity timeout.

Useful 0 Not Useful 0

Executive Summary

The vulnerability exists in the Data Sharing Framework (DSF) versions prior to 2.1.0, where OIDC-authenticated sessions did not have a configured maximum inactivity timeout.

As a result, sessions persisted indefinitely after login, even after the OIDC access token had expired.

This means that once a user logged in, their session could remain active without expiration due to inactivity, potentially allowing unauthorized continued access.

This issue was fixed in version 2.1.0 by introducing a maximum inactivity timeout for sessions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to prolonged unauthorized access because sessions remain active indefinitely after login, even if the OIDC access token expires.

An attacker or unauthorized user could exploit this by using an inactive session to access sensitive data or perform actions without re-authentication.

This increases the risk of data breaches or misuse of the system due to session persistence beyond intended limits.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allowed OIDC-authenticated sessions to persist indefinitely without a maximum inactivity timeout, even after the access token expired. Such indefinite session persistence can lead to unauthorized access risks and potential data exposure.

From a compliance perspective, this behavior could negatively impact adherence to standards and regulations like GDPR and HIPAA, which require appropriate session management and access controls to protect personal and health data.

The vulnerability was fixed in version 2.1.0 by introducing a maximum inactivity timeout, thereby improving compliance with these security requirements.

Useful 0 Not Useful 0