Kimai Server-Side Template Injection Vulnerability Allowing Sensitive Data Extraction

A server-side template injection vulnerability has been identified in Kimai, a web-based time-tracking application, in versions prior to 2.46.0. The issue arises from an export feature that utilizes a Twig sandbox with a lax security policy, permitting unauthorized method calls on objects within the template context. This vulnerability allows an authenticated user with export rights to upload a malicious Twig template that can extract sensitive information such as environment variables, user password hashes, serialized session tokens, and CSRF tokens.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive data, including environment variables, user password hashes, session tokens, and CSRF tokens. The extracted APP_SECRET can be used to forge login links for any user account, bypassing normal authentication processes.

Reproduction

To reproduce this vulnerability, an authenticated user with export permissions must upload a malicious Twig template to the Kimai export directory. This can be done through direct filesystem access on the server. Once the template is in place, the user can trigger the export function, which will process the template and extract the sensitive data, which can then be accessed via the exported PDF file.

Remediation

Users can update to Kimai version 2.46.0 or later, where this vulnerability has been patched. After updating, it is recommended to review and tighten export template security policies to prevent similar issues in the future.