Hi,
The following vulnerability was published for kanboard.
CVE-2024-55603[0]:
| Kanboard is project management software that focuses on the Kanban
| methodology. In affected versions sessions are still usable even
| though their lifetime has exceeded. Kanboard implements a cutom
| session handler (`app/Core/Session/SessionHandler.php`), to store
| the session data in a database. Therefore, when a `session_id` is
| given, kanboard queries the data from the `sessions` sql table. At
| this point, it does not correctly verify, if a given `session_id`
| has already exceeded its lifetime (`expires_at`). Thus, a session
| which's lifetime is already `> time()`, is still queried from the
| database and hence a valid login. The implemented
| **SessionHandlerInterface::gc** function, that does remove invalid
| sessions, is called only **with a certain probability** (_Cleans up
| expired sessions. Called by `session_start()`, based on
| `session.gc_divisor`, `session.gc_probability` and
| `session.gc_maxlifetime` settings_) accordingly to the php
| documentation. In the official Kanboard docker image these values
| default to: session.gc_probability=1, session.gc_divisor=1000. Thus,
| an expired session is only terminated with probability 1/1000. This
| issue has been addressed in release 1.2.43 and all users are advised
| to upgrade. There are no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-55603
https://www.cve.org/CVERecord?id=CVE-2024-55603
[1] https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484
[2] https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore