Kimai - Open Source time-tracker Kimai
Start for free

API returns timesheet entries a user shouldn't be authorized to view

  1. Home
  2. Security
  3. Kimai Advisory CVE-2024-29200

Affected versions

  • Kimai versions < 2.13.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.13.0
  • Severity: Medium
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-29200 to this issue

Description

Kimai handled the view_other_timesheet permission differently in the web interface and in the API. In affected versions, the API could return timesheet entries that a user should not have been allowed to see, even when the UI correctly limited visibility based on team access.

This exposed confidential timesheet information through the API to users who only had partial or team-scoped access in the application.

This issue was an access control mismatch between the UI and the API.

  • The frontend correctly restricted visible timesheets based on team and permission context
  • The API endpoint /api/timesheets?user=all returned broader results than intended
  • Users could access entries outside their expected scope
  • The issue had confidentiality impact because sensitive timesheet data became visible through the API

Users should update to 2.13.0 or newer.

Credits

  • Reported by: AstroGD
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-cj3c-5xpm-cx94

Top