Source: kanboard Version: 1.2.31+ds2-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for kanboard. CVE-2024-55603[0]: | Kanboard is project management software that focuses on the Kanban | methodology. In affected versions sessions are still usable even | though their lifetime has exceeded. Kanboard implements a cutom | session handler (`app/Core/Session/SessionHandler.php`), to store | the session data in a database. Therefore, when a `session_id` is | given, kanboard queries the data from the `sessions` sql table. At | this point, it does not correctly verify, if a given `session_id` | has already exceeded its lifetime (`expires_at`). Thus, a session | which's lifetime is already `> time()`, is still queried from the | database and hence a valid login. The implemented | **SessionHandlerInterface::gc** function, that does remove invalid | sessions, is called only **with a certain probability** (_Cleans up | expired sessions. Called by `session_start()`, based on | `session.gc_divisor`, `session.gc_probability` and | `session.gc_maxlifetime` settings_) accordingly to the php | documentation. In the official Kanboard docker image these values | default to: session.gc_probability=1, session.gc_divisor=1000. Thus, | an expired session is only terminated with probability 1/1000. This | issue has been addressed in release 1.2.43 and all users are advised | to upgrade. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-55603 https://www.cve.org/CVERecord?id=CVE-2024-55603 [1] https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484 [2] https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
