CVE-2021-3311
published 2021-02-05CVE-2021-3311: An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE…
PriorityP349critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.90%
85.2th percentile
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | rain | >= 0 < 1.0.472 | 1.0.472 |
| october | rain | >= 1.1.0 < 1.1.2 | 1.1.2 |
| octobercms | october | <= 1.0.471 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
October CMS Session ID not invalidated after logout
ghsa·2021-02-10·CVSS 9.8
CVE-2021-3311 [CRITICAL] CWE-613 October CMS Session ID not invalidated after logout
October CMS Session ID not invalidated after logout
### Impact
When logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases, since it requires a malicious party gaining access to the session cookie in the first place, but nevertheless has been fixed.
### Patches
Issue has been patched in Build 472 (v1.0.472) and v1.1.2.
### Workarounds
Apply https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually if unable to upgrade to Build 472 or v1.1.2.
#
OSV
October CMS Session ID not invalidated after logout
osv·2021-02-10·CVSS 9.8
CVE-2021-3311 [CRITICAL] October CMS Session ID not invalidated after logout
October CMS Session ID not invalidated after logout
### Impact
When logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases, since it requires a malicious party gaining access to the session cookie in the first place, but nevertheless has been fixed.
### Patches
Issue has been patched in Build 472 (v1.0.472) and v1.1.2.
### Workarounds
Apply https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually if unable to upgrade to Build 472 or v1.1.2.
#
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://anisiosantos.me/october-cms-token-reactivationhttps://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024https://octobercms.com/forum/chan/announcementshttps://anisiosantos.me/october-cms-token-reactivationhttps://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024https://octobercms.com/forum/chan/announcements
2021-02-05
Published