Lucene search

[email protected]NVD:CVE-2023-44400

HistoryOct 09, 2023 - 4:15 p.m.

CVE-2023-44400

2023-10-0916:15:10

CWE-384

[email protected]

web.nvd.nist.gov

uptime kuma

monitoring tool

persistent account access

session tokens

password changes

inactivity periods

security patch

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user’s device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the issue.

Affected configurations

Nvd

Node

uptime.kumauptime_kumaRange<1.23.3

VendorProductVersionCPE
uptime.kumauptime_kuma*cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
uptime.kuma	uptime_kuma	*	cpe:2.3:a:uptime.kuma:uptime_kuma::::::::

References

github.com/louislam/uptime-kuma/commit/88afab6571ef7d4d41bb395cdb6ecd3968835a4a

github.com/louislam/uptime-kuma/issues/3481

github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for NVD:CVE-2023-44400

vulnrichment1 cve2 cvelist2 veracode2 prion2 github1 osv4 nvd1