VYPR

CWE-324

Use of a Key Past its Expiration Date

BaseDraftLikelihood: Low

Description

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (9)

  • CVE-2026-43585HigMay 6, 2026
    risk 0.46cvss 8.1epss 0.01

    OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer…

  • CVE-2023-5342MedAug 14, 2025
    risk 0.27cvss 4.1epss 0.00

    The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded.

  • CVE-2026-52809medJun 23, 2026
    risk 0.19cvss epss 0.00

    ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification…

  • CVE-2024-7318Sep 9, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1…

  • CVE-2024-38277Jun 18, 2024
    risk 0.00cvss epss 0.00

    A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

  • CVE-2022-24732Mar 9, 2022
    risk 0.00cvss epss 0.00

    Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired…

  • CVE-2019-10643Apr 17, 2019
    risk 0.00cvss epss 0.01

    Contao 4.7 allows Use of a Key Past its Expiration Date.

  • CVE-2013-2104Jan 21, 2014
    risk 0.00cvss epss 0.02

    python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.

  • CVE-2012-5563Dec 18, 2012
    risk 0.00cvss epss 0.03

    OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a…