Login Sign Up

CVE-2021-3311

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-3311 is an authentication bypass vulnerability in October CMS where old session IDs become reactivated after a new login occurs. This allows attackers with knowledge of previously invalidated session IDs to regain unauthorized access to user accounts. All October CMS installations through build 471 are affected.

💻 Affected Systems

Products:
  • October CMS
Versions: All versions through build 471
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the core authentication mechanism in Auth/Manager.php

📦 What is this software?

October by Octobercms

View all CVEs affecting October →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with captured session IDs can hijack authenticated sessions, potentially gaining administrative access to compromise the entire CMS installation and underlying server.

🟠

Likely Case

Session hijacking of user accounts leading to unauthorized access, data theft, and privilege escalation within the CMS.

🟢

If Mitigated

Limited impact if session IDs are properly protected and rotated, though the fundamental authentication flaw remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires knowledge of old session IDs, which could be obtained through various means including network sniffing, XSS, or log exposure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 472 and later

Vendor Advisory: https://octobercms.com/forum/chan/announcements

Restart Required: No

Instructions:

1. Update October CMS to build 472 or later via the admin panel or composer. 2. Verify the commit 642f597489e6f644d4bd9a0c267e864cabead024 is present. 3. Clear all existing sessions to invalidate potentially compromised session IDs.

🔧 Temporary Workarounds

Session Management Enhancement

all

Implement additional session validation and rotation mechanisms

🧯 If You Can't Patch

  • Implement strict session timeout policies and force regular re-authentication
  • Monitor and log all session creation/reactivation events for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check October CMS version in admin panel or via composer show october/system. If version is build 471 or earlier, system is vulnerable.

Check Version:

php artisan october:version

Verify Fix Applied:

Verify system is running build 472 or later and check that Auth/Manager.php contains the fix from commit 642f597489e6f644d4bd9a0c267e864cabead024.

📡 Detection & Monitoring

Log Indicators:

  • Multiple successful logins from same session ID
  • Session reactivation events
  • Unusual authentication patterns

Network Indicators:

  • Reuse of old session tokens in HTTP requests

SIEM Query:

source="*october*" AND (event="session_reactivation" OR (event="login" AND session_id IN known_compromised_sessions))

📊 Metadata

CVE ID: CVE-2021-3311
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-613
Published: February 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3311, you might also want to check these:

CVE-2024-8888 10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication token...

Same vulnerability type (CWE-613)
CVE-2023-5865 9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended ...

Same vulnerability type (CWE-613)
CVE-2024-25718 9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain ...

Same vulnerability type (CWE-613)