GHSA-23q2-5gf8-gjpp: Enabling Authentication does not close all logged in socket connections immediately

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-23q2-5gf8-gjpp

Enabling Authentication does not close all logged in socket connections immediately

Low severity GitHub Reviewed Published Apr 19, 2024 in louislam/uptime-kuma • Updated Apr 19, 2024

Package

npm uptime-kuma (npm)

Affected versions

<= 1.23.11

Description

Summary

This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.

PoC

• Open Uptime Kuma with authentication disabled
• Enable authentication using another window
• Access the platform using the previously logged-in window
• Note that access (read-write) remains despite the enabled authentication
• Expected behaviour:
  • After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
• Actual behaviour:
  • The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.

Impact

See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q

TBH this is quite a niche edge case, so I don’t know if this even warrants a security report.

References

• GHSA-23q2-5gf8-gjpp
• GHSA-88j4-pcx8-q4q3
• GHSA-g9v2-wqcj-j99g
• louislam/uptime-kuma@7a9e2f5

Published to the GitHub Advisory Database

Apr 19, 2024

Last updated

Apr 19, 2024