Insufficient Session Expiration in cortezaproject/corteza-server

Valid

Reported on

Oct 2nd 2021


Set up the cortezaproject in your local machine.

Steps:

  1. Create the account on corteza

  2. Login using same credentails from chrome and firefox.

  3. Change user password from chrome.

  4. Perform any activity in Firefox the session is still valid.

Mitigation:

After changing password, each and every active session that belongs to that particular account must be destroyed!

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 2 months ago
takester
2 months ago

Researcher


Any update??

takester
2 months ago

Researcher


any update??

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is stale. a month ago
Tomaž Jerman
a month ago

Maintainer


Thank you for reporting. We were implementing some improvements to how tokens are stored and managed. I will sync internally to see how exactly we want your exact case to look like.

Tomaž Jerman
a month ago

Maintainer


The reported flow holds, but we are not planning on changing it. A user has an option to revoke their sessions at any point if they decide to do so, but we will not revoke them automatically for such cases.

We might add a popup (or something) to ask the user to revoke the sessions for cases such as password changes or logout for a nicer UX (something similar to what Facebook does IIRC).

@admin should this disclosure be considered valid? For us, we would say no.

Jamie Slome
a month ago

Admin


Same situation here @tjerman. Feel free to mark as invalid if you do not believe this to be a security issue.

Tomaž Jerman validated this vulnerability 24 days ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tomaž Jerman
24 days ago

Maintainer


The final decision reconsidered this as an issue. Thank you for the disclosure

Tomaž Jerman confirmed that a fix has been merged on 015771 24 days ago
The fix bounty has been dropped
takester
23 days ago

Researcher


Thanks for bounty. Will I be getting CVE on this??

Jamie Slome
23 days ago

Admin


@takester - if the maintainer confirms they are happy for a CVE to be published here, we can go ahead and do this for you!

takester
23 days ago

Researcher


Okay thanks