pyLoad Session Privilege Revocation Bypass Vulnerability

A session management vulnerability has been identified in pyLoad, a Python-based download manager, affecting versions through 0.5.0b3. The issue arises because the application caches user roles and permissions in the session at login. Even after an admin modifies a user's roles or permissions, the application continues to authorize actions based on the outdated, cached values. This flaw allows users to retain revoked privileges until they log out or their session expires, creating a window for unauthorized actions.

Impact

This vulnerability leads to a failure in promptly revoking user privileges after changes are made, allowing continued access to previously granted rights, including administrative privileges, until the session ends or a manual logout occurs.

Reproduction

The vulnerability can be reproduced by logging into the application, which caches the user's role and permissions in the session. After an admin changes these roles or permissions, the user can still perform actions based on the old privileges, demonstrating the session inconsistency.

Remediation

Users can update to pyLoad version 0.5.0b3.dev98, where this vulnerability has been fixed.