CVE-2024-55603

Date: December 18, 2024

Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler ("app/Core/Session/SessionHandler.php"), to store the session data in a database. Therefore, when a "session_id" is given, kanboard queries the data from the "sessions" sql table. At this point, it does not correctly verify, if a given "session_id" has already exceeded its lifetime ("expires_at"). Thus, a session which's lifetime is already "> time()", is still queried from the database and hence a valid login. The implemented SessionHandlerInterface::gc function, that does remove invalid sessions, is called only with a certain probability (Cleans up expired sessions. Called by "session_start()", based on "session.gc_divisor", "session.gc_probability" and "session.gc_maxlifetime" settings) accordingly to the php documentation. In the official Kanboard docker image these values default to: session.gc_probability=1, session.gc_divisor=1000. Thus, an expired session is only terminated with probability 1/1000. This issue has been addressed in release 1.2.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: PHP