CVE-2023-49091
📋 TL;DR
Cosmos-server versions before 0.13.1 have an authentication token expiration flaw where authorization headers remain valid after logout. This allows attackers to reuse stolen tokens to gain unauthorized access to self-hosted applications. Anyone running vulnerable Cosmos-server instances is affected.
💻 Affected Systems
- Cosmos-server
📦 What is this software?
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
Cosmos Server by Cosmos Cloud
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all applications behind Cosmos-server, data theft, privilege escalation, and lateral movement within the network.
Likely Case
Unauthorized access to specific applications and data exposure for users whose tokens are captured.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still potential unauthorized access to exposed applications.
🎯 Exploit Status
Exploitation requires capturing a valid authorization token, which can be done via MITM attacks, logging, or other token leakage methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.1
Vendor Advisory: https://github.com/azukaar/Cosmos-Server/security/advisories/GHSA-hpvm-x7m8-3c6x
Restart Required: Yes
Instructions:
1. Backup your Cosmos-server configuration. 2. Update to version 0.13.1 using your package manager or download from GitHub. 3. Restart the Cosmos-server service. 4. Force all users to log out and log back in to invalidate old tokens.
🔧 Temporary Workarounds
Implement token expiration monitoring
linuxManually monitor and revoke tokens by restarting authentication services
sudo systemctl restart cosmos-server-auth
Network segmentation
allIsolate Cosmos-server instances from critical systems
🧯 If You Can't Patch
- Implement short session timeouts and force frequent re-authentication
- Deploy WAF or reverse proxy with token validation and rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Cosmos-server version: if below 0.13.1, you are vulnerable. Test by logging in, capturing token, logging out, then attempting to use the token to access protected endpoints.Check Version:
cosmos-server --version or check package manager (apt list --installed | grep cosmos-server)Verify Fix Applied:
After updating to 0.13.1, test that authorization tokens become invalid immediately after logout and cannot be reused.📡 Detection & Monitoring
Log Indicators:
- Multiple successful authentications from same token after logout events
- Unusual access patterns using old authorization headers
Network Indicators:
- Repeated use of same authorization tokens across multiple sessions
- Authentication requests with timestamps mismatching current sessions
SIEM Query:
source="cosmos-server" AND (event="authentication" OR event="api_call") | stats count by auth_token | where count > 1 AND time_diff > logout_time