Lucene search

GoogleOSV:CVE-2023-44400

HistoryOct 09, 2023 - 4:15 p.m.

CVE-2023-44400

2023-10-0916:15:10

Google

osv.dev

self-hosted monitoring tool

persistent account access

missing verification

session tokens

password changes

elapsed inactivity periods

patch

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user’s device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the issue.

CPENameOperatorVersion
uptime-kumaeq1.15.1
uptime-kumaeq1.22.0
uptime-kumaeq1.11.1
uptime-kumaeq1.15.0-beta.1
uptime-kumaeq1.12.1
uptime-kumaeq1.6.0
uptime-kumaeq1.17.0-beta.0
uptime-kumaeq1.21.3
uptime-kumaeq1.18.2
uptime-kumaeq1.15.0-beta.0

Name	Operator	Version
uptime-kuma	eq	1.15.1
uptime-kuma	eq	1.22.0
uptime-kuma	eq	1.11.1
uptime-kuma	eq	1.15.0-beta.1
uptime-kuma	eq	1.12.1
uptime-kuma	eq	1.6.0
uptime-kuma	eq	1.17.0-beta.0
uptime-kuma	eq	1.21.3
uptime-kuma	eq	1.18.2
uptime-kuma	eq	1.15.0-beta.0

Rows per page:

1-10 of 1001

References

github.com/louislam/uptime-kuma/commit/88afab6571ef7d4d41bb395cdb6ecd3968835a4a

github.com/louislam/uptime-kuma/issues/3481

github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for OSV:CVE-2023-44400