CVE-2024-55603: 
Linux Debian vulnerability analysis and mitigation

Kanboard, a project management software focusing on the Kanban methodology, contains a session handling vulnerability in versions prior to 1.2.43. The vulnerability allows expired sessions to remain usable even after their intended lifetime has exceeded. This occurs due to improper verification of session expiration times in the custom session handler implementation (GitHub Advisory).

The vulnerability exists in Kanboard's custom session handler (app/Core/Session/SessionHandler.php), which stores session data in a database. When a session_id is provided, the handler queries the data from the sessions SQL table but fails to properly verify if the session has exceeded its lifetime (expires_at). The garbage collection function that should remove invalid sessions is only called with a probability of 1/1000 (based on default settings of session.gcprobability=1 and session.gcdivisor=1000) (NVD).

This vulnerability allows attackers to continue using expired sessions indefinitely, effectively bypassing session timeout security measures. Since sessions remain valid beyond their intended expiration time, this could lead to unauthorized access to user accounts and sensitive information (GitHub Advisory).

The vulnerability has been fixed in Kanboard version 1.2.43. Users are advised to upgrade to this version or later. The fix involves properly verifying the session expiration time during the read operation by adding a check for expire_at > time() in the session handler. There are no known workarounds for this vulnerability (GitHub Advisory, GitHub Commit).