Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.5.12?] CVE-2021-29023: password reset rate limiting #733

Closed
zeitschlag opened this issue Jun 12, 2021 · 4 comments
Closed

[1.5.12?] CVE-2021-29023: password reset rate limiting #733

zeitschlag opened this issue Jun 12, 2021 · 4 comments
Milestone
1.5.12

Comments

@zeitschlag
Copy link
Contributor

zeitschlag commented Jun 12, 2021
edited
Loading

InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.
@UnderDogg UnderDogg changed the title CVE-2021-29023 CVE-2021-29023: password reset rate limiting Jun 13, 2021
@zeitschlag zeitschlag added this to the v1.5.12 milestone Jun 13, 2021
@zeitschlag zeitschlag self-assigned this Jun 13, 2021
@zeitschlag
Copy link
Contributor Author

The idea is to do two things as a quick fix:

  • We not only check if there's a user with this mail, but also if there's already a password reset token stored in the database for them. If so, we don't generate a new one. (L. 169)
  • To harden things, we add a salt when it comes to hashing.

Feel free to add your thoughts :)

@UnderDogg
Copy link
Contributor

See PR #743

@UnderDogg UnderDogg mentioned this issue Jun 29, 2021
Closed
5 tasks
@zeitschlag zeitschlag removed their assignment Aug 6, 2021
naui95 added a commit to naui95/InvoicePlane that referenced this issue Oct 10, 2021
@naui95
prevent predictability of recovery token InvoicePlane#733
5f2337f
naui95 added a commit to naui95/InvoicePlane that referenced this issue Oct 10, 2021
@naui95
implement rate limiting
b612068 
implements rate limiting for:
- login attempts
- password recovery attempts
-password recovery token use
InvoicePlane#733
@naui95 naui95 mentioned this issue Oct 10, 2021
Merged
7 tasks
@nielsdrost7
Copy link
Contributor

refs #739

@nielsdrost7 nielsdrost7 changed the title CVE-2021-29023: password reset rate limiting [1.5.12?] CVE-2021-29023: password reset rate limiting Dec 24, 2021
naui95 added a commit to naui95/InvoicePlane that referenced this issue Jun 11, 2022
@naui95
prevent predictability of recovery token InvoicePlane#733
ff0a9ef
naui95 added a commit to naui95/InvoicePlane that referenced this issue Jun 11, 2022
@naui95
implement rate limiting
fc9bffa 
implements rate limiting for:
- login attempts
- password recovery attempts
-password recovery token use
InvoicePlane#733
naui95 added a commit to naui95/InvoicePlane that referenced this issue Jun 11, 2022
@naui95
prevent predictability of recovery token InvoicePlane#733
95068f2
naui95 added a commit to naui95/InvoicePlane that referenced this issue Jun 11, 2022
@naui95
implement rate limiting
2e8aecc 
implements rate limiting for:
- login attempts
- password recovery attempts
-password recovery token use
InvoicePlane#733
nielsdrost7 added a commit that referenced this issue Jul 10, 2022
@nielsdrost7
Merge pull request #767 from naui95/develop
f4fe13c 
fix for CVE-2021-29023 #733
@nielsdrost7
Copy link
Contributor

Solved by PR #767

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.5.12
Development

No branches or pull requests
3 participants
@UnderDogg @zeitschlag @nielsdrost7