Insufficient Session Expiration in nocodb/nocodb

Valid

Reported on

Jun 3rd 2022

Description

The application NocoDB failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords.

Proof of Concept

Login same account in two different browsers.

Try to change the password from browser one.

You will see after changing the password, sessions don't get destroyed from another browser and it is still logged in with old passwords.

poc video

https://drive.google.com/file/d/1gFn8BLktl90v2YfIRTimvFgu2rhNWoTx/view?usp=sharing

Impact

If a user's account got compromised and he/she tried to change the password still after changing the password session will not destroy and the attacker will have control over the account.

References

We are processing your report and will contact the nocodb team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
Raj
2 years ago

Researcher

Hello @admin the maintainer has provided the email id so can you pls invite them to this report

We have contacted a member of the nocodb team and are waiting to hear back 2 years ago
Jamie Slome
2 years ago

Admin

Sorted 👍

Raj modified the report
a year ago
We have sent a follow up to the nocodb team. We will try again in 7 days. a year ago
navi validated this vulnerability a year ago
Raj has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
navi marked this as fixed in 0.91.7+ with commit c9b511 a year ago
navi has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation