Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHSA SYNC: 1 brand new advisory #844

Merged
merged 1 commit into from
Dec 31, 2024
Merged

GHSA SYNC: 1 brand new advisory #844

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions gems/pwpush/CVE-2024-56733.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
---
gem: pwpush
cve: 2024-56733
ghsa: 4fwj-m62q-pp47
url: https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47
title: Password Pusher Allows Session Token Interception Leading
to Potential Hijacking
date: 2024-12-30
description: |
### Impact

A vulnerability has been reported in Password Pusher where an
attacker can copy the session cookie before a user logs out,
potentially allowing session hijacking.

Although the session token is replaced and invalidated upon logout,
if an attacker manages to capture the session cookie before this
process, they can use the token to gain unauthorized access to the
user's session until the token expires or is manually cleared.

This vulnerability hinges on the attacker's ability to access the
session cookie during an active session, either through a
man-in-the-middle attack, by exploiting another vulnerability like
XSS, or via direct access to the victim's device.

### Patches

Although there is no direct resolution to this vulnerability, it is
recommended to always use the latest version of Password Pusher to
best mitigate risk.

### Workarounds

If self-hosting, ensure Password Pusher is hosted exclusively over
SSL connections to encrypt traffic and prevent session cookies from
being intercepted in transit. Additionally, implement best practices
in local security to safeguard user systems, browsers, and data
against unauthorized access.

To further mitigate session hijacking risks, Password Pusher
implements the following security measures:

1. **Automatic Session Expiration**: Sessions are automatically
expired after 2 hours of inactivity, reducing the window for
potential exploitation.

2. **Session Reset on Login and Logout**: Sessions are fully reset
both when a user logs in and logs out, ensuring that session
tokens are not reusable post-logout. This practice invalidates
old session tokens and issues new ones, minimizing the risk of
session hijacking.

3. **Encrypted Cookies**: Cookies are encrypted using the value of
SECRET_KEY_BASE from the application's configuration. This
encryption adds a layer of protection against tampering or reading
the session cookie's contents if intercepted, although it doesn't
prevent the cookie from being used if stolen.

**Note**: While these measures significantly enhance security, they
are part of a broader security strategy.

### References

* https://edgeguides.rubyonrails.org/security.html#session-hijacking

### Credits

Thank you to [Positive Technologies](https://www.ptsecurity.com/ww-en/)
for reporting and working with me to bring this CVE to the community.

cvss_v3: 5.7
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-56733
- https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47
- https://github.com/advisories/GHSA-4fwj-m62q-pp47
Loading