Описание
Enabling Authentication does not close all logged in socket connections immediately
Summary
This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.
PoC
- Open Uptime Kuma with authentication disabled
- Enable authentication using another window
- Access the platform using the previously logged-in window
- Note that access (read-write) remains despite the enabled authentication
- Expected behaviour:
- After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
- Actual behaviour:
- The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.
Impact
See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q
TBH this is quite a niche edge case, so I don't know if this even warrants a security report.
Ссылки
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-23q2-5gf8-gjpp
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g
- https://github.com/louislam/uptime-kuma/commit/7a9e2f5de69aa0bb884ead25d1dcc833bb8c6579
Пакеты
Наименование
uptime-kuma
npm
Затронутые версииВерсия исправления
<= 1.23.11
1.23.12
Дефекты
CWE-384
Дефекты
CWE-384