Insufficient Session Expiration After Password Change in cockpit-hq/cockpit
Valid
Reported on
Aug 6th 2022
Description
During my test, I found that in Cockpit v 2.1.2, the application was not validating the request after password change. This allows attacker to update user account details even after admin changes password.
Steps to Reproduce :
- Login with your account and click on click on "Account Settings" and update your details and intercept the request in Burpsuite/Owasp Zap.
- Now change your account password and try changing your account details from from the request we just captured before changing password.
- You will notice that the application returns following response.
- {"error": "401", "message":"Unauthorized request"}
- Now refresh the page. You will notice that our admins account details have successfully changed.
Proof Of Concept: https://drive.google.com/file/d/1yqwYB1o8jfXtPUTgQ_yzI_sRqkfAyXx3/view?usp=sharing
Impact
If admin's account gets compromised, even if admin changes his password, attacker is still able to update admin account details and perform malicious actions.
We are processing your report and will contact the
cockpit-hq/cockpit
team within 24 hours.
a year ago
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
a year ago
We have contacted a member of the
cockpit-hq/cockpit
team and are waiting to hear back
a year ago
I can validate the issue and will provide a fix. Thanks for reporting!
Suvam Adhikari
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hi @admin , Can you please assign an CVE for this issue π if accepted by @maintainer .
Kind Regards, Suvam Adhikari
Thank you for the finding π Go for the CVE!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
CVE assigned and should be published in the next 24 hours π
Well done all! π
to join this conversation