7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%
Attackers with access to a users’ device can gain persistent account access.
This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity-periods.
uptime-kuma
sets JWT tokens for users after successful authentication.
These tokens have the following design flaws:
sessionStorage
or localStorage
.Remember Me
button.These flaws allow user cookies to remain valid even after changing passwords or being inactive, posing a high security risk.
In testing, even after a period of over a day of inactivity, the session was still valid
Another person with local access to the device could take over the session permanently, even after hours of previous inactivity or a password change.
Such activity would not be obvious to the user (see https://github.com/louislam/uptime-kuma/issues/3481 if you want to help with this).
With this gained account access, an attacker can cause:
api-keys
(only used for accessing /metrics
)Steam API Key
HTTP(s) - Browser Engine (Chrome/Chromium) (Beta)
leading to RAM exhaustionIf operated in some restricted network, access to monitors may provide the ability to change the scope of the attack to a different piece of infrastructure, for example via SQL commands to a database server.
We have not classified this as changed scope
because credentials stored in the application for accessing other systems are existing valid paths across the trust boundary, and the user should be aware of that.
CPE | Name | Operator | Version |
---|---|---|---|
uptime-kuma | lt | 1.23.3 |