Skip to content

Improper password verification on POST `/api/v1/account/login`

Critical
5HT2 published GHSA-356r-rwp8-h6m6 Apr 30, 2023

Package

gomod github.com/effectindex/tripreporter (Go)

Affected versions

< bd80ba833b9023d39ca22e29874296c8729dd53b

Patched versions

bd80ba833b9023d39ca22e29874296c8729dd53b

Description

Impact

What kind of vulnerability is it? Who is impacted?

Any user with an account on an instance of effectindex/tripreporter, eg https://subjective.report.

The vulnerability allows any user with a password matching the password requirements to login as any user. This allows access to accounts / data loss of the user.

Patches

Has the problem been patched? What versions should users upgrade to?

Patched in bd80ba8.

No action necessary for users on https://subjective.report, anyone running their own instance should update to this commit or newer, as soon as possible.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Apply this patch:

diff --git a/api/account.go b/api/account.go
index be89603..b9c08a0 100644
--- a/api/account.go
+++ b/api/account.go
@@ -84,7 +84,7 @@ func AccountPostLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	account, err = a1.ValidatePassword(account.Password, "Password")
+	account, err = a1.VerifyPassword(account.Password)
 	if err != nil {
 		ctx.HandleStatus(w, r, "Invalid username or password!", http.StatusForbidden)
 		return

References

Are there any links users can visit to find out more?

Not at the moment.

Severity

Critical
9.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2023-31123

Weaknesses

Credits