Headline
CVE-2023-49091: Jwttoken never expire after changed the password and logged out
Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.0.
Summary
Through usage, we have found that the jwttoken code does not work properly, posing some potential security risks.
Details
The vulnerability is related to the Authorization header used for user login. After logging out, the token in the Authorization header remains valid and does not expire.
This vulnerability allows an attacker to use the token to gain unauthorized access to the application or system even after the user has logged out, leading to potential data breaches, unauthorized modification or deletion of sensitive data, or other malicious activities.
PoC
step 1: before changed the password and logged out we have a jwt code
step 2 changed the password and logged out we have new jwt code
Then we noticed these 2 jwt codes also existed at the same time.
Video POC test logout
bandicam.2023-11-28.09-35-57-727.mp4Impact
The Jwttoken vulnerability can have a significant impact on the security of an application or system protected by a token. The main impact of this vulnerability is that the token can be used indefinitely by any user or attacker who has access to it. This can lead to unauthorized access to sensitive information, as the user or attacker can bypass authentication and gain access to the application or system without a valid username and password.