CVE-2024-55603

MEDIUM EPSS 38.6%
Published Dec 19, 20241y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Dec 19, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (`app/Core/Session/SessionHandler.php`), to store the session data in a database. Therefore, when a `session_id` is given, kanboard queries the data from the `sessions` sql table. At this point, it does not correctly verify, if a given `session_id` has already exceeded its lifetime (`expires_at`). Thus, a session which's lifetime is already `> time()`, is still queried from the database and hence a valid login. The implemented **SessionHandlerInterface::gc** function, that does remove invalid sessions, is called only **with a certain probability** (_Cleans up expired sessions. Called by `session_start()`, based on `session.gc_divisor`, `session.gc_probability` and `session.gc_maxlifetime` settings_) accordingly to the php documentation. In the official Kanboard docker image these values default to: session.gc_probability=1, session.gc_divisor=1000. Thus, an expired session is only terminated with probability 1/1000. This issue has been addressed in release 1.2.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
38.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-613

Affected Products 1

VendorProductVersionRange
kanboardkanboard* <1.2.43

References 8

  • github.com https://github.com/kanboard/kanboard/blob/main/app/Core/Session/SessionHandler.php#L40
    Product
  • github.com https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78
    Patch
  • github.com https://github.com/kanboard/kanboard/security/advisories/GHSA-gv5c-8pxr-p484
    ExploitVendor Advisory
  • php.net https://www.php.net/manual/en/function.session-start.php
    Product
  • php.net https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
    Product
  • php.net https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
    Product
  • php.net https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
    Product
  • php.net https://www.php.net/manual/en/sessionhandlerinterface.gc.php
    Product

Remediation

  • github.com https://github.com/kanboard/kanboard/commit/7ce61c34d962ca8b5dce776289ddf4b207be6e78
    Patch