Kimai - Open Source time-tracker Kimai
Login Start for free

API returns timesheet entries a user shouldn't be authorized to view

  1. Home
  2. Security
  3. Kimai Advisory CVE-2024-29200

Affected versions

  • Affected versions: < 2.13.0
  • Patched version: 2.13.0
  • Advisory published: 27 Mar 2024

Severity

Severity: Medium

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-29200 to this issue.

Vulnerability

Kimai handled the view_other_timesheet permission differently in the web interface and in the API. In affected versions, the API could return timesheet entries that a user should not have been allowed to see, even when the UI correctly limited visibility based on team access.

This exposed confidential timesheet information through the API to users who only had partial or team-scoped access in the application.

Info

This issue was an access control mismatch between the UI and the API.

  • The frontend correctly restricted visible timesheets based on team and permission context
  • The API endpoint /api/timesheets?user=all returned broader results than intended
  • Users could access entries outside their expected scope
  • The issue had confidentiality impact because sensitive timesheet data became visible through the API

Solution

Users should update to 2.13.0 or newer.

Credits

  • Reported by: AstroGD
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-cj3c-5xpm-cx94

Top