Kimai
Password reset links stayed valid after the password was changed
Affected versions
- Kimai versions <= 2.57.0 are affected by this security issue
- The issue has been fixed in Kimai 2.58.0
- Severity: Low
- We have not requested an official CVE ID for this security advisory
Description
After a user clicked a password reset link in Kimai and set a new password, the same link could still be used up to 2 times within the next hour.
- The issue affects password reset links and the admin “login link” feature generated through
bin/console kimai:user:login-link - The cryptographic signature on these links only covered the user’s internal ID. It did not depend on the current password, so changing the password did not invalidate the link.
- A user who reset their password in response to a suspected compromise might believe the account is secure, while the leaked link still grants access for a short time.
- All Kimai installations (OnPremise and Cloud) are affected.
Why we didn’t request a CVE
The issue is largely theoretical. After the password is changed, the same link can be reused at most two more times, and only within the one-hour window during which the original reset link was issued.
In addition, the link must reach someone other than the legitimate user. If an attacker already has access to the user’s mailbox, the underlying problem lies outside of Kimai.
Solution
Login links now include the user’s password hash in their signature, so any existing link immediately becomes invalid as soon as the password is changed.
Users should update to 2.58.0 or newer.
Credits
- Reported by: AzureADTrent
- Patched by: kevinpapst
First reported in GitHub advisory: GHSA-m492-gv72-xvxj