Skip to content

Enabling Authentication does not close all logged in socket connections immediately

Low severity GitHub Reviewed Published Apr 19, 2024 in louislam/uptime-kuma • Updated Apr 19, 2024

Package

npm uptime-kuma (npm)

Affected versions

<= 1.23.11

Patched versions

1.23.12

Description

Summary

This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.

PoC

  • Open Uptime Kuma with authentication disabled
  • Enable authentication using another window
  • Access the platform using the previously logged-in window
  • Note that access (read-write) remains despite the enabled authentication
  • Expected behaviour:
    • After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
  • Actual behaviour:
    • The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.

Impact

See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q

TBH this is quite a niche edge case, so I don't know if this even warrants a security report.

References

@louislam louislam published to louislam/uptime-kuma Apr 19, 2024
Published to the GitHub Advisory Database Apr 19, 2024
Reviewed Apr 19, 2024
Last updated Apr 19, 2024

Severity

Low

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-23q2-5gf8-gjpp

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.