Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yM3EyLTVnZjgtZ2pwcM4AA7NN
Enabling Authentication does not close all logged in socket connections immediately
Summary
This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.
PoC
- Open Uptime Kuma with authentication disabled
- Enable authentication using another window
- Access the platform using the previously logged-in window
- Note that access (read-write) remains despite the enabled authentication
- Expected behaviour:
- After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
- Actual behaviour:
- The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.
Impact
See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q
TBH this is quite a niche edge case, so I don't know if this even warrants a security report.
Permalink: https://github.com/advisories/GHSA-23q2-5gf8-gjppJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yM3EyLTVnZjgtZ2pwcM4AA7NN
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 14 days ago
Updated: 14 days ago
Identifiers: GHSA-23q2-5gf8-gjpp
References:
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-23q2-5gf8-gjpp
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g
- https://github.com/louislam/uptime-kuma/commit/7a9e2f5de69aa0bb884ead25d1dcc833bb8c6579
- https://github.com/advisories/GHSA-23q2-5gf8-gjpp
Blast Radius: 1.0
Affected Packages
npm:uptime-kuma
Dependent packages: 0Dependent repositories: 0
Downloads: 51 last month
Affected Version Ranges: <= 1.23.11
Fixed in: 1.23.12
All affected versions:
All unaffected versions: