Insufficient Session Expiration on password change

[SAHALLL]

What are you trying to achieve?

Insufficient session expiration allows an attacker to reuse old session credentials or session IDs for authorization after a password change. In this scenario, a user's session on a separate tab or device remains active even after the password is changed on another device.

Steps to reproduce the problem

1, Login to the admin account on a normal tab ( TAB A ) and a private tab (TAB B).
2, Change the password on TAB A.
3, There will be an active session on both of the tabs , even after the password change.

What did you expect to happen?

Due to this vulnerability, there is no way for the victim to revoke access of the attacker if the account has been already compromised.

Logs

No response

Environment

Saleor version: 3.19.34

[NyanKiyoshi]

(Pasting from a reply in Saleor's security mailing list)

The following should be done:

1. Document the behavior and remediation (storefronts can invoke the tokensDeactivateAll() mutation)
2. Code change: in a new minor version of Saleor, all mutations that change the password shall invalidate previous sessions (password reset, password change, etc.)