CVE-2024-55603

Name of the Vulnerable Software and Affected Versions Kanboard versions prior to 1.2.43

Description Kanboard is project management software that focuses on the Kanban methodology. In affected versions, sessions are still usable even though their lifetime has exceeded. Kanboard implements a custom session handler (app/Core/Session/SessionHandler.php), to store the session data in a database. When a session id is given, Kanboard queries the data from the sessions SQL table. However, it does not correctly verify if a given session id has already exceeded its lifetime (expires at). Thus, a session whose lifetime is already > time(), is still queried from the database and hence a valid login. The implemented SessionHandlerInterface::gc function, which removes invalid sessions, is called only with a certain probability, based on session.gc divisor, session.gc probability, and session.gc maxlifetime settings. In the official Kanboard Docker image, these values default to: session.gc probability=1, session.gc divisor=1000. Thus, an expired session is only terminated with a probability of 1/1000.

Recommendations To resolve the issue, update to version 1.2.43 or later. As a temporary workaround, consider adjusting the session.gc probability and session.gc divisor settings to increase the likelihood of expired sessions being terminated. Restrict access to the app/Core/Session/SessionHandler.php module to minimize the risk of exploitation. Avoid using the session id parameter in the affected API endpoint until the issue is resolved.