Weak Password Change Mechanism in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 9th 2022


Description

When setting a new user password it does not require knowledge of the original password (Current password not required)

Proof of Concept

1. Log in as a regular user 
2. Navigate: https://book.dansmonorage.blue/preferences/password
3. Enter any password string.

Impact

If an attacker can gain access to an active user session (i.e. accessing terminal when user stands up), it would not be necessary to know the victim's current password in order to fully compromise the account.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
7h3h4ckv157 modified the report
a year ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a year ago
Mouse Reeve validated this vulnerability a year ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.4 with commit 137311 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
7h3h4ckv157
a year ago

Researcher


If possible, Can we go for a CVE ?? @maintainer @admin

7h3h4ckv157
a year ago

Researcher


Similar cases:

  1. https://www.rapid7.com/db/vulnerabilities/opencrx-cve-2020-7378/
  2. https://www.cvedetails.com/cve/CVE-2017-14005/
  3. https://nvd.nist.gov/vuln/detail/CVE-2018-7809
Jamie Slome
a year ago

Admin


It is up to the maintainer if they would like a CVE for this report 👍 Once we hear back from them, we can assign and publish a CVE.

7h3h4ckv157
a year ago

Researcher


If that's the case, are you okay with the same, sir?

@maintainer

7h3h4ckv157
a year ago

Researcher


The vulnerability is yet not fixed. I cross-checked the demo version just a moment before. I hope it'll be fixed soon & If you're happy, assign a CVE for the case.

@maintainer

to join this conversation