Insufficient Session Expiration in librenms/librenms

Valid

Reported on

Sep 21st 2022


Description

Active user sessions are not invalidated when that user is disabled.

Proof of Concept

Steps to reproduce:

1. Log in with an admin account.
2. Create a test user with the user role `Normal` & enable that user
3. Log in with the test user in a separate browser or private browser window
4. Disable the test user in the admin session
5. Observe that the test user's session is still active in the separate browser and was not invalidated

Impact

An old session can be used by an attacker even after the user has been disabled until it expires.

Occurrences

Active sessions should be invalidated after a user has been disabled.

We are processing your report and will contact the librenms team within 24 hours. 2 months ago
We have contacted a member of the librenms team and are waiting to hear back 2 months ago
We have sent a follow up to the librenms team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the librenms team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the librenms team. This report is now considered stale. 2 months ago
Tony Murray validated this vulnerability 2 months ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 22.10.0 with commit ce8e5f 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Tony Murray published this vulnerability 16 days ago
to join this conversation