Publish GHSA-wgx6-g857-jjf7

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-wgx6-g857-jjf7/GHSA-wgx6-g857-jjf7.json

@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wgx6-g857-jjf7",
+  "modified": "2026-04-22T22:13:10Z",
+  "published": "2026-04-22T22:13:10Z",
+  "aliases": [],
+  "summary": "OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence",
+  "details": "### Summary\nThe OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account.\n\n### Details\nThe design flaw in authentication model ([authentication.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/authentication.rb)) allows for interchangeable use of password and session tokens for user authentication As old tokens are not revoked upon password reset, an attacker who has obtained a valid session token can continue to authenticate and change the account’s password even after the victim resets it, thereby maintaining persistent control over the compromised account.\n\n### PoC\n1. Attacker is logged in user account with hijacked valid session token, but not knowing the actual password\n2. Legitimate user, as preventive action, changes his password (_password123_) using old password (_password_), that he knows, then establishes new session\n3. Attacker issues another password change request (in web proxy like Burp) supplying his still valid token as _old_password_, changing it to attacker-password, from this point preventing any other legitimate users from accessing account\n<img width=\"912\" height=\"479\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d27b5980-0326-40f8-bb39-657d7b1c95a0\" />\n<img width=\"923\" height=\"423\" alt=\"image\" src=\"https://github.com/user-attachments/assets/060d9fe1-637e-4a2d-9142-76612984ea28\" />\n\n### Impact\nPersistence of an attacker who obtained valid session token and preventing legitimate users from account access",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "openc3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.10.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "openc3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0.pre.rc1"
+            },
+            {
+              "fixed": "7.0.0-rc3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OpenC3/cosmos"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-620"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-22T22:13:10Z",
+    "nvd_published_at": null
+  }
+}