CVE-2023-49804

Uptime Kuma Password Change Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behavior persists consistently, even after system restarts or browser restarts. This vulnerability allows unauthorized access to user accounts, compromising the security of sensitive information. The same vulnerability was partially fixed in CVE-2023-44400, but logging existing users out of their accounts was forgotten. To mitigate the risks associated with this vulnerability, the maintainers made the server emit a `refresh` event (clients handle this by reloading) and then disconnecting all clients except the one initiating the password change. It is recommended to update Uptime Kuma to version 1.23.9.

Uptime Kuma es una herramienta de monitorización autohospedada y fácil de usar. Antes de la versión 1.23.9, cuando un usuario cambia su contraseña de inicio de sesión en Uptime Kuma, un usuario que había iniciado sesión anteriormente conserva el acceso sin cerrar la sesión. Este comportamiento persiste constantemente, incluso después de reiniciar el sistema o el navegador. Esta vulnerabilidad permite el acceso no autorizado a cuentas de usuarios, comprometiendo la seguridad de información confidencial. La misma vulnerabilidad se solucionó parcialmente en CVE-2023-44400, pero se olvidó cerrar la sesión de los usuarios existentes en sus cuentas. Para mitigar los riesgos asociados con esta vulnerabilidad, los mantenedores hicieron que el servidor emitiera un evento de "actualización" (los clientes manejan esto recargando) y luego desconectaron a todos los clientes excepto el que inició el cambio de contraseña. Se recomienda actualizar Uptime Kuma a la versión 1.23.9.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-11-30 CVE Reserved
2023-12-11 CVE Published
2023-12-15 EPSS Updated
2024-10-09 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-384: Session Fixation

CAPEC

References (3)

URL	Tag	Source
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g	Not Applicable

URL	Date	SRC

URL	Date	SRC
https://github.com/louislam/uptime-kuma/commit/482049c72b3a650c7bc5c26c2f4d57a21c0e0aa0	2023-12-14

URL	Date	SRC
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3	2023-12-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dockge.kuma Search vendor "Dockge.kuma"		Dockge Search vendor "Dockge.kuma" for product "Dockge"				< 1.3.3 Search vendor "Dockge.kuma" for product "Dockge" and version " < 1.3.3"		-		Affected
Uptime.kuma Search vendor "Uptime.kuma"		Uptime Kuma Search vendor "Uptime.kuma" for product "Uptime Kuma"				< 1.23.9 Search vendor "Uptime.kuma" for product "Uptime Kuma" and version " < 1.23.9"		-		Affected