Insufficient Session Expiration After Password Change in cockpit-hq/cockpit


Reported on

Aug 6th 2022


During my test, I found that in Cockpit v 2.1.2, the application was not validating the request after password change. This allows attacker to update user account details even after admin changes password.

Steps to Reproduce :

  1. Login with your account and click on click on "Account Settings" and update your details and intercept the request in Burpsuite/Owasp Zap.
  2. Now change your account password and try changing your account details from from the request we just captured before changing password.
  3. You will notice that the application returns following response.
  4. {"error": "401", "message":"Unauthorized request"}
  5. Now refresh the page. You will notice that our admins account details have successfully changed.

Proof Of Concept:


If admin's account gets compromised, even if admin changes his password, attacker is still able to update admin account details and perform malicious actions.

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a year ago
Artur validated this vulnerability a year ago

I can validate the issue and will provide a fix. Thanks for reporting!

Suvam Adhikari has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.2.0 with commit dd8d03 a year ago
Artur has been awarded the fix bounty
This vulnerability will not receive a CVE
Suvam Adhikari
a year ago


Hi @admin , Can you please assign an CVE for this issue πŸ™‚ if accepted by @maintainer .

Kind Regards, Suvam Adhikari

Artur gave praise a year ago
Thank you for the finding πŸ™ Go for the CVE!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Jamie Slome
a year ago


CVE assigned and should be published in the next 24 hours πŸ‘

Well done all! πŸŽ‰

to join this conversation