GHSA-4fwj-m62q-pp47
Vulnerability from github
Published
2024-12-30 16:46
Modified
2024-12-31 18:42
Severity ?
5.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Summary
Password Pusher Allows Session Token Interception Leading to Potential Hijacking
Details

Impact

A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking.

Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared.

This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device.

Patches

Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk.

Workarounds

If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access.

To further mitigate session hijacking risks, Password Pusher implements the following security measures:

  1. Automatic Session Expiration: Sessions are automatically expired after 2 hours of inactivity, reducing the window for potential exploitation.
  2. Session Reset on Login and Logout: Sessions are fully reset both when a user logs in and logs out, ensuring that session tokens are not reusable post-logout. This practice invalidates old session tokens and issues new ones, minimizing the risk of session hijacking.
  3. Encrypted Cookies: Cookies are encrypted using the value of SECRET_KEY_BASE from the application's configuration. This encryption adds a layer of protection against tampering or reading the session cookie's contents if intercepted, although it doesn't prevent the cookie from being used if stolen.

Note: While these measures significantly enhance security, they are part of a broader security strategy.

References

  • https://edgeguides.rubyonrails.org/security.html#session-hijacking

Credits

Thank you to Positive Technologies for reporting and working with me to bring this CVE to the community.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "pwpush"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.50.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-30T16:46:43Z",
    "nvd_published_at": "2024-12-30T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking.\n\nAlthough the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user\u0027s session until the token expires or is manually cleared.\n\nThis vulnerability hinges on the attacker\u0027s ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim\u0027s device.\n\n### Patches\n\nAlthough there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk.\n\n### Workarounds\n\nIf self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access.\n\nTo further mitigate session hijacking risks, Password Pusher implements the following security measures:\n\n1. **Automatic Session Expiration**: Sessions are automatically expired after 2 hours of inactivity, reducing the window for potential exploitation.\n2. **Session Reset on Login and Logout**: Sessions are fully reset both when a user logs in and logs out, ensuring that session tokens are not reusable post-logout. This practice invalidates old session tokens and issues new ones, minimizing the risk of session hijacking.\n3. **Encrypted Cookies**: Cookies are encrypted using the value of SECRET_KEY_BASE from the application\u0027s configuration. This encryption adds a layer of protection against tampering or reading the session cookie\u0027s contents if intercepted, although it doesn\u0027t prevent the cookie from being used if stolen.\n\n**Note**: While these measures significantly enhance security, they are part of a broader security strategy.\n\n### References\n\n* https://edgeguides.rubyonrails.org/security.html#session-hijacking\n\n### Credits\n\nThank you to [Positive Technologies](https://www.ptsecurity.com/ww-en/) for reporting and working with me to bring this CVE to the community.\n\n",
  "id": "GHSA-4fwj-m62q-pp47",
  "modified": "2024-12-31T18:42:50Z",
  "published": "2024-12-30T16:46:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56733"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pglombardo/PasswordPusher"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pwpush/CVE-2024-56733.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Password Pusher Allows Session Token Interception Leading to Potential Hijacking"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.