VYPR
Unrated severityNVD Advisory· Published Dec 18, 2024· Updated Dec 20, 2024

Insufficient session invalidation in Kanboard

CVE-2024-55603

Description

Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (app/Core/Session/SessionHandler.php), to store the session data in a database. Therefore, when a session_id is given, kanboard queries the data from the sessions sql table. At this point, it does not correctly verify, if a given session_id has already exceeded its lifetime (expires_at). Thus, a session which's lifetime is already > time(), is still queried from the database and hence a valid login. The implemented SessionHandlerInterface::gc function, that does remove invalid sessions, is called only with a certain probability (_Cleans up expired sessions. Called by session_start(), based on session.gc_divisor, session.gc_probability and session.gc_maxlifetime settings_) accordingly to the php documentation. In the official Kanboard docker image these values default to: session.gc_probability=1, session.gc_divisor=1000. Thus, an expired session is only terminated with probability 1/1000. This issue has been addressed in release 1.2.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Kanboard/Kanboardllm-fuzzy2 versions
    <1.2.43+ 1 more
    • (no CPE)range: <1.2.43
    • (no CPE)range: < 1.2.43

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.