Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2023-31140
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-08 May, 2023 | 20:27
Updated At-29 Jan, 2025 | 14:55
Rejected At-
▼CVE Numbering Authority (CNA)
OpenProject user sessions not terminated after activation of 2FA

OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.

Affected Products
Vendor
opf
Product
openproject
Versions
Affected
  • >= 7.4.0, < 12.5.4
Problem Types
TypeCWE IDDescription
CWECWE-613CWE-613: Insufficient Session Expiration
Type: CWE
CWE ID: CWE-613
Description: CWE-613: Insufficient Session Expiration
Metrics
VersionBase scoreBase severityVector
3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q
x_refsource_CONFIRM
https://github.com/opf/openproject/pull/12508
x_refsource_MISC
https://community.openproject.org/wp/48035
x_refsource_MISC
https://www.openproject.org/docs/release-notes/12-5-4/
x_refsource_MISC
Hyperlink: https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/opf/openproject/pull/12508
Resource:
x_refsource_MISC
Hyperlink: https://community.openproject.org/wp/48035
Resource:
x_refsource_MISC
Hyperlink: https://www.openproject.org/docs/release-notes/12-5-4/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q
x_refsource_CONFIRM
x_transferred
https://github.com/opf/openproject/pull/12508
x_refsource_MISC
x_transferred
https://community.openproject.org/wp/48035
x_refsource_MISC
x_transferred
https://www.openproject.org/docs/release-notes/12-5-4/
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/opf/openproject/pull/12508
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://community.openproject.org/wp/48035
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.openproject.org/docs/release-notes/12-5-4/
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found