CVE-2024-55603

Dec. 19, 2024, 12:15 a.m.

6.5
Medium

Description

Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (`app/Core/Session/SessionHandler.php`), to store the session data in a database. Therefore, when a `session_id` is given, kanboard queries the data from the `sessions` sql table. At this point, it does not correctly verify, if a given `session_id` has already exceeded its lifetime (`expires_at`). Thus, a session which's lifetime is already `> time()`, is still queried from the database and hence a valid login. The implemented **SessionHandlerInterface::gc** function, that does remove invalid sessions, is called only **with a certain probability** (_Cleans up expired sessions. Called by `session_start()`, based on `session.gc_divisor`, `session.gc_probability` and `session.gc_maxlifetime` settings_) accordingly to the php documentation. In the official Kanboard docker image these values default to: session.gc_probability=1, session.gc_divisor=1000. Thus, an expired session is only terminated with probability 1/1000. This issue has been addressed in release 1.2.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Product(s) Impacted

Product Versions
Kanboard
  • < 1.2.43

Weaknesses

CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

https://github.com/kanboard/kanboard/blob/main/app/Core/Session/SessionHandler.php#L40
https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78
https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484
https://www.php.net/manual/en/function.session-start.php
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
https://www.php.net/manual/en/sessionhandlerinterface.gc.php

Tags

security-advisories@github.com
CWE-613
2024-12-19
CVE-2024-55603

CVSS Score

6.5 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Date

  • Published: Dec. 19, 2024, 12:15 a.m.
  • Last Modified: Dec. 19, 2024, 12:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.