Session Handling Vulnerability in Kanboard Project Management Software
CVE-2024-55603

6.5MEDIUM

Key Information:

Vendor
Kanboard
Status
Kanboard
Vendor
CVE Published:
19 December 2024

Summary

CVE-2024-55603 is a high-risk vulnerability found in Kanboard, a popular project management tool utilizing the Kanban methodology. This vulnerability pertains to the improper handling of session expiration in affected versions of the software. When the session's lifetime exceeds its expiration, Kanboard fails to invalidate these sessions correctly due to the design of its custom session handler (app/Core/Session/SessionHandler.php). As a result, attackers could exploit this oversight to gain access using expired session IDs, compromising the integrity of user accounts. The default session cleanup settings in the Docker image, where expired sessions are purged with a low probability (1/1000), exacerbate this issue. Users are strongly encouraged to upgrade to version 1.2.43 or later for a secure fix, as no workarounds can effectively mitigate this vulnerability.

References

https://github.com/kanboard/kanboard/blob/main/app/Core/S...
https://github.com/kanboard/kanboard/commit/7ce61c34d962c...
https://github.com/kanboard/kanboard/security/advisories/...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-55603 : Session Handling Vulnerability in Kanboard Project Management Software | SecurityVulnerability.io