CVE-2023-31140 : What You Need to Know
Learn about CVE-2023-31140 affecting OpenProject versions 7.4.0 to 12.5.4. Find out the impact, technical details, and steps to mitigate the user sessions vulnerability.
A vulnerability has been identified in OpenProject that allows user sessions to remain active even after activating two-factor authentication (2FA).
Understanding CVE-2023-31140
This CVE affects OpenProject versions from 7.4.0 to 12.5.4, creating a scenario where user sessions are not terminated after activating 2FA.
What is CVE-2023-31140?
OpenProject, an open-source project management software, fails to terminate existing user sessions when 2FA devices are confirmed, leaving accounts vulnerable to unauthorized access.
The Impact of CVE-2023-31140
This vulnerability poses a medium severity risk, with a CVSS v3.1 base score of 4.8. Attackers can potentially exploit this flaw to gain unauthorized access to user accounts with active sessions.
Technical Details of CVE-2023-31140
The vulnerability arises from insufficient session expiration and affects OpenProject versions between 7.4.0 and 12.5.4.
Vulnerability Description
When a user confirms their 2FA device or an administrator creates a mobile phone 2FA device on behalf of a user, existing sessions remain active, providing an opportunity for unauthorized access.
Affected Systems and Versions
OpenProject versions between 7.4.0 and 12.5.4 are affected by this vulnerability, where user sessions are not properly terminated after enabling 2FA.
Exploitation Mechanism
Exploiting this vulnerability requires low privileges, a network attack vector, and user interaction, making it easier for attackers to gain unauthorized access.
Mitigation and Prevention
To safeguard against this vulnerability, immediate steps must be taken, alongside implementing long-term security practices and applying necessary patches and updates.
Immediate Steps to Take
Users are advised to manually log out after registering their first 2FA device to terminate all active sessions. Additionally, administrators can ensure the default behavior of actively terminating sessions is enabled in OpenProject.
Long-Term Security Practices
It is recommended to regularly review security configurations, enforce strong password policies, and monitor user sessions to detect any suspicious activity.
Patching and Updates
Users should update their OpenProject installations to version 12.5.4 or later, where the issue has been resolved by actively terminating user sessions upon registering a 2FA device.