1. Home
2. Security
3. Kimai Advisory GHSA-jrc6-fmhw-fpq2

Affected versions

• Kimai versions <=2.53.0 are affected by this security issue
• The issue has been fixed in Kimai 2.54.0
• Severity: Low
• We have not requested an official CVE ID for this security advisory

Description

Kimai exposed a small timing difference in the legacy API authentication flow that accepted X-AUTH-USER and X-AUTH-TOKEN header. In affected versions, requests for existing usernames took measurably longer than requests for unknown usernames, which could allow user enumeration through repeated timing analysis.

The response body and HTTP status stayed identical, so the leak was limited to request timing only.

This issue affected the legacy API password authentication mechanism that has already been deprecated.

• The authenticator performed password hash verification only when the requested user existed
• Requests for unknown usernames returned faster because no equivalent hash verification work was performed
• Attackers could use repeated probes to distinguish valid usernames from invalid ones
• The practical impact was limited because the gap was small and easier to observe locally than across a real network

Solution

Invalid logins triggers a “fake” password hashing, making it impossible to distinguish wrong passwords from unknown user accounts. Rate limiting was added to failed logins.

Administrators can block HTTP requests that include the X-AUTH-USER and X-AUTH-TOKEN header in their webserver.

Additional note: authenticated logins add a random delay to the response and trigger a deprecation notice, to drive users to finally switch to API tokens.

Users should update to 2.54.0 or newer.

Credits

• Reported by: melnicek
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-jrc6-fmhw-fpq2