CVE-2023-49091

Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/azukaar/Cosmos-Server/security/advisories/GHSA-hpvm-x7m8-3c6x	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cosmos-cloud:cosmos_server:0.1.15:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.1.16:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.1.17:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.2.0:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.3.0:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.3.1:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.3.2:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.3.3:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.3.4:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.3.5:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.4.0:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.4.1:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.4.2:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.4.3:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.0:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.1:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.2:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.3:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.4:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.5:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.6:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.7:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.8:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.9:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.5.12:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.6.0:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.6.1:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.6.2:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.6.3:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.6.4:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.0:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.1:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.2:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.3:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.4:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.5:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.6:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.7:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.8:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.9:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.7.10:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.0:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.1:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.2:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.3:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.4:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.5:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.6:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.7:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.8:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.9:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.10:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.8.11:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.0:-::::::
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.1:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.2:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.3:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.4:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.5:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.6:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.7:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.8:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.9:::::::*
	cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.10:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.11:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.12:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.13:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.14:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.15:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.16:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.17:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.18:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.19:-::::::
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.20:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.9.21:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.10.0:-::::::
cpe:2.3:a:cosmos-cloud:cosmos_server:0.10.1:-::::::
cpe:2.3:a:cosmos-cloud:cosmos_server:0.10.2:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.10.3:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.10.4:-::::::
cpe:2.3:a:cosmos-cloud:cosmos_server:0.11.0:-::::::
cpe:2.3:a:cosmos-cloud:cosmos_server:0.11.1:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.11.2:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.11.3:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.12.0:-::::::
cpe:2.3:a:cosmos-cloud:cosmos_server:0.12.1:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.12.2:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.12.3:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.12.4:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.12.5:::::::*
cpe:2.3:a:cosmos-cloud:cosmos_server:0.12.6:-::::::

History

29 Nov 2023, 20:53

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-29 20:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-49091

Mitre link : CVE-2023-49091

CVE.ORG link : CVE-2023-49091

JSON object : View

Products Affected

cosmos-cloud

cosmos_server

CWE

CWE-613

Insufficient Session Expiration

9.8 /10