Insufficient Session Expiration in heroiclabs/nakama

Valid

Reported on

Aug 23rd 2022

Description

The Nakama Console session is not invalidated when the user is deleted.

Proof of Concept

Steps to reproduce:

1. Log in to the Nakama Console as admin and create a user test@user.com
2. In a separate browser or private window log in to the account test@user.com
3. In the admin session, delete the user test@user.com
4. Observe that the test@user.com session is not invalidated and the user can still perform all actions according to their role (for instance if the user has the administrator role they can still create/delete users)

Impact

An old session can be used by an attacker even after the user has been deleted in a different session. The session can be used until it expires or the attacker logs out.

Occurrences

console_user.go L120-L130

Active sessions should be invalidated when the corresponding user is deleted.

References

CWE-613 - Insufficient Session Expiration

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago

A heroiclabs/nakama maintainer has acknowledged this report a year ago

Andrei Mihu validated this vulnerability 10 months ago

vautia has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andrei Mihu marked this as fixed in 3.16.0 with commit d1e894 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Feb 1st 2023

console_user.go#L120-L130 has been validated

Andrei Mihu published this vulnerability 10 months ago

to join this conversation