•  
      request #12219 Reset passord links are not invalidated on password change
    Infos
    #12219
    Thomas Gerbet (tgerbet)
    2018-09-21 21:07
    2018-09-03 09:47
    12217
    Details
    Reset passord links are not invalidated on password change

    Reset password links are not invalidated after a user changes its password.

    Impact

    This issue could allow an attacker to persist access to a compromised user account.
    CVSSv3 score: 3.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)

    Exploitation

    1. A user got its account compromised, the attacker change the mail address and ask for a reset link
    2. The user recovers the account and changes the password. The user now thinks its account is safe.
    3. The attacker can use the reset link previously generated to change the password again and compromise the account again.

    Credits

    Thank you to Swapnil Jain for finding and reporting this issue.

    References

    CVE-2018-17298

    CWE 640

    Empty
    Authentication & LDAP
    All
    Empty
    Empty
    Stage
    Empty
    Closed
    2018-09-04
    Attachments
    Empty
    References

    List of items referenced by or referencing this item.

    Artifact Tracker v5

    Follow-ups

    • User avatar
      Adding CVE ID.

      • Original Submission
    • User avatar
      Public disclosure.
    • User avatar
    • User avatar
      gerrit #12537 integrated into Tuleap 10.4.99.161

      • Status changed from Under review to Closed
      • Connected artifacts
      • Close date set to 2018-09-04
    • User avatar
      A patch is under review: gerrit #12537.

      • Original Submission
      • Status changed from Under implementation to Under review