blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID → session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely — even after the legitimate user has detected the intrusion and changed their password — until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

不充分的会话过期机制

blueprintUE self-hosted edition 安全漏洞

blueprintUE self-hosted edition是blueprintUE开源的一个自托管的数据建模与可视化工具。 blueprintUE self-hosted edition 4.2.0之前版本存在安全漏洞，该漏洞源于当用户通过个人资料编辑页面更改密码或通过重置链接完成密码重置时，这些操作均不会使该用户的现有认证会话失效，可能导致已入侵会话的攻击者在合法用户检测到入侵并更改密码后，仍能保留对帐户的完全访问权限，直到会话自然到期。

N/A

N/A