Compliance Impact

The vulnerability allows disabled user accounts to maintain access via persistent authentication tokens, which means unauthorized access to user data can persist even after account deactivation.

This unauthorized access can lead to breaches of confidentiality and integrity of user information, potentially violating data protection requirements in standards like GDPR and HIPAA that mandate proper user access controls and timely revocation of access.

Failure to invalidate authentication tokens upon account disablement could result in non-compliance with regulations requiring strict session management and protection of sensitive data.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects Bludit content management system versions prior to 3.22.0. It occurs because when an administrator disables a user account, the system fails to invalidate or clear the persistent authentication tokens (tokenAuth and tokenRemember) stored in the JSON database.

As a result, users who had previously logged in and have a "Remember Me" cookie can still access the system despite their accounts being disabled. This means the account disablement does not effectively prevent access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow disabled users or attackers with access to a valid persistent cookie to bypass account disablement and maintain unauthorized access to the system.

• Unauthorized access to sensitive information due to persistent authentication.
• Compromise of confidentiality and partial integrity of the system.
• Potential misuse of disabled accounts leading to security breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves disabled user accounts retaining valid authentication tokens (tokenAuth and tokenRemember) in the Bludit JSON database, allowing continued access via "Remember Me" cookies.

To detect this issue on your system, you can inspect the Bludit user JSON database for disabled users who still have non-empty tokenAuth or tokenRemember fields.

For example, you might use commands to query or search the JSON database file (commonly located in the Bludit data directory) for disabled users with active tokens.

• Use a command like `jq` to filter users where the account is disabled but tokenAuth or tokenRemember fields are not empty, e.g.:
• `jq '.users[] | select(.status == "disabled" and (.tokenAuth != "" or .tokenRemember != ""))' users.json`

This command assumes the user data is stored in a JSON file named users.json and that the status field indicates if the user is disabled.

Additionally, monitoring HTTP requests for valid "Remember Me" cookies from disabled accounts could help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update Bludit to version 3.22.0 or later, which includes a security fix that invalidates sessions for disabled users by clearing the tokenAuth and tokenRemember fields.

If immediate updating is not possible, manually clearing or invalidating the tokenAuth and tokenRemember fields for disabled users in the JSON database can reduce risk.

Additionally, consider invalidating all persistent authentication cookies and forcing all users to re-authenticate.

• Apply the official patch or upgrade to Bludit v3.22.0 as soon as possible.
• Manually clear tokenAuth and tokenRemember fields for disabled users in the user database.
• Invalidate existing "Remember Me" cookies by clearing browser cookies or forcing logout.

Useful 0 Not Useful 0