Security flaw in Tenable Nessus vulnerbility scanner. Insufficient session expiration.

Cybersecurity specialists reported the finding of a severe vulnerability in Tenable Nessus, the popular vulnerability scanning program for various operating systems. Successful exploitation of this vulnerability would allow threat actors to obtain confidential information from the target system.

Below is a brief description of the reported failure, in addition to its identification key and score according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-5774: A session expiration insufficiency issue allows threat actors to obtain or guess the session token, gaining unauthorized access to the session from other users, potentially exposing sensitive information.

This is a low severity failure that received a score of 3.7/10.

The versions of Tenable Nessus affected by this failure are: 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.1.2, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.2, 8.4.0, 8.5.0, 8.5.1, 8.5.2, 8.6.0, 8.7.0, 8.7.1, 8.7.2, 8 8.0, 8.9.0, 8.9.1, 8.10.0, 8.10.1, 8.11.0.

Experts mention that this failure can be exploited remotely by actors of unauthenticated threats over LAN, although no attempts at active exploitation have been reported. Updates are now available, so users of affected deployments are advised to patch shortly.