CVE-2023-5889 – This vulnerability allows attackers to maintain... (How to Fix)

Q: What is the severity of CVE-2023-5889?

CVE-2023-5889 has a CVSS score of 8.2 (HIGH). This vulnerability allows attackers to maintain access to user sessions beyond their intended expiration time in PKP (Public Knowledge Project) software. It affects all systems running pkp/pkp-lib versions prior to 3.3.0-16, potentially enabling unauthorized access to administrative or user accounts.

📋 TL;DR

This vulnerability allows attackers to maintain access to user sessions beyond their intended expiration time in PKP (Public Knowledge Project) software. It affects all systems running pkp/pkp-lib versions prior to 3.3.0-16, potentially enabling unauthorized access to administrative or user accounts.

💻 Affected Systems

Products:

PKP (Public Knowledge Project) software including OJS (Open Journal Systems), OMP (Open Monograph Press), OPS (Open Preprint Systems)

Versions: All versions prior to 3.3.0-16

Operating Systems: All operating systems running PKP software

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations using the vulnerable pkp-lib library component.

📦 What is this software?

Pkp Web Application Library by Pkp

View all CVEs affecting Pkp Web Application Library →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could maintain persistent unauthorized access to administrative accounts, leading to data theft, content manipulation, or complete system compromise.

🟠

Likely Case

Attackers gain prolonged access to user sessions, potentially accessing sensitive user data or performing unauthorized actions within the application.

🟢

If Mitigated

With proper session management controls, impact is limited to temporary inconvenience if sessions are properly invalidated server-side.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires initial authentication but session persistence allows continued access beyond intended limits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.0-16 and later

Vendor Advisory: https://github.com/pkp/pkp-lib/commit/32d071ef2090fc336bc17d56a86d1dff90c26f0b

Restart Required: Yes

Instructions:

1. Backup your PKP installation and database. 2. Update to pkp-lib version 3.3.0-16 or later. 3. Clear all existing sessions from the database. 4. Restart the web server. 5. Force all users to re-authenticate.

🔧 Temporary Workarounds

Session Timeout Reduction

all

Reduce session timeout values to minimize exposure window

Modify config.inc.php: $session_lifetime = 3600; // Set to 1 hour or less

Force Session Regeneration

all

Implement additional session regeneration on sensitive actions

Add session_regenerate_id(true); before critical operations in PHP code

🧯 If You Can't Patch

Implement strict session monitoring and alerting for unusual session durations
Deploy WAF rules to detect and block session fixation attempts

🔍 How to Verify

Check if Vulnerable:

Check your pkp-lib version in the installation directory or via the admin interface. If version is below 3.3.0-16, you are vulnerable.

Check Version:

grep -r "version" /path/to/pkp-lib/version.xml | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+-[0-9]\+'

Verify Fix Applied:

Verify version is 3.3.0-16 or higher and test that sessions properly expire after configured timeout.

📡 Detection & Monitoring

Log Indicators:

Unusually long session durations
Multiple session IDs from same user
Session access after logout events

Network Indicators:

Repeated authentication requests with old session tokens
Session cookies with extended expiration

SIEM Query:

source="*apache*" OR source="*nginx*" (session_timeout OR session_expire) AND (duration>3600 OR "old_session")

📊 Metadata

CVE ID: CVE-2023-5889

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-613

Published: November 1, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/pkp/pkp-lib/commit/32d071ef2090fc336bc17d56a86d1dff90c26f0b Patch
https://huntr.com/bounties/fba2991a-1b8a-4c89-9689-d708526928e1 Exploit,Patch,Third Party Advisory
https://github.com/pkp/pkp-lib/commit/32d071ef2090fc336bc17d56a86d1dff90c26f0b Patch
https://huntr.com/bounties/fba2991a-1b8a-4c89-9689-d708526928e1 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5889, you might also want to check these: