Headline
CVE-2022-24751: CVE-2022-24751: Clear sessions outside of the transaction. · zulip/zulip@62ba8e4
Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race condition during account deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. A patch is available in version 4.11 on the 4.x branch and version 5.0-rc1 on the 5.x branch. Upgrading to a fixed version will, as a side effect, deactivate any cached sessions that may have been leaked through this bug. There are currently no known workarounds.
Permalink
Browse files
CVE-2022-24751: Clear sessions outside of the transaction.
Clearing the sessions inside the transaction makes Zulip vulnerable to a narrow window where the deleted session has not yet been committed, but has been removed from the memcached cache. During this window, a request with the session-id which has just been deleted can successfully re-fill the memcached cache, as the in-database delete is not yet committed, and thus not yet visible. After the delete transaction commits, the cache will be left with a cached session, which allows further site access until it expires (after SESSION_COOKIE_AGE seconds), is ejected from the cache due to memory pressure, or the server is upgraded.
Move the session deletion outside of the transaction.
Because the testsuite runs inside of a transaction, it is impossible to test this is CI; the testsuite uses the non-caching `django.contrib.sessions.backends.db` backend, regardless. The test added in this commit thus does not fail before this commit; it is merely a base expression that the session should be deleted somehow, and does not exercise the assert added in the previous commit.
- Loading branch information
Showing with 20 additions and 1 deletion.
- +1 −1 zerver/lib/actions.py
- +19 −0 zerver/tests/test_users.py