CVE-2024-55603
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (app/Core/Session/SessionHandler.php), to store the session data in a database. Therefore, when a session_id is given, kanboard queries the data from the sessions sql table. At this point, it does not correctly verify, if a given session_id has already exceeded its lifetime (expires_at).
Thus, a session which's lifetime is already > time(), is still queried from the database and hence a valid login. The implemented SessionHandlerInterface::gc function, that does remove invalid sessions, is called only with a certain probability (Cleans up expired sessions. Called by session_start(), based on session.gc_divisor, session.gc_probability and session.gc_maxlifetime settings) accordingly to the php documentation. In the official Kanboard docker image these values default to: session.gc_probability=1, session.gc_divisor=1000. Thus, an expired session is only terminated with probability 1/1000. This issue has been addressed in release 1.2.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| kanboard | kanboard | < 1.2.43 | affected |
Weaknesses
- CWE-613: CWE-613: Insufficient Session Expiration
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484
- https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78
- https://github.com/kanboard/kanboard/blob/main/app/Core/Session/SessionHandler.php#L40
- https://www.php.net/manual/en/function.session-start.php
- https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
- https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
- https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
- https://www.php.net/manual/en/sessionhandlerinterface.gc.php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.