Skip to content

dbAuth "forgot-password" Account Takeover Vulnerability [high]

High
jtoar published GHSA-3qmc-2r76-4rqp Nov 9, 2022

Package

npm @redwoodjs/api (npm)

Affected versions

>= v0.38.0

Patched versions

v2.2.5, v3.3.1

Description

Impact

What kind of vulnerability is it? Who is impacted?

This is an API vulnerability in Redwood's dbAuth, specifically the dbAuth forgot password feature:

  • only projects with the dbAuth "forgot password" feature are affected
  • this vulnerability was introduced in v0.38.0

User Accounts are Vulnerable to Takeover (Hijacking)

A reset token for any user can be obtained given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account.

How to Determine if Projects have been Attacked

To determine if a project has been attacked, we recommend checking logs for suspicious activity; namely, the volume of requests to the forgot-password API using emails that don't exist. Another indication is if users inform you that they can't access their accounts.

If you have question or concerns, reach out via the "For More Information" section below.

Patch Releases Available

The problem has been patched on the v3 and v2 release lines. Users should upgrade to v3.3.1+ https://github.com/redwoodjs/redwood/releases/tag/v3.3.1 or v2.2.5+ https://github.com/redwoodjs/redwood/releases/tag/v2.2.5 respectively.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

We recommend upgrading to the Patch Releases above. If upgrading is not possible, there are several workarounds:

Manually strip out resetToken and resetTokenExpiresAt in the forgotPassword.handler()

Users on all release lines can have their forgotPassword.handler() function strip out the sensitive fields manually before returning

handler: (user) => {
  // your code to notify/email user of the link to reset their password...

  const = { resetToken, resetTokenExpiresAt, ...rest }

  return rest
}

Use yarn patch to manually apply the fix

Users on v3 and v2 can use yarn patch to apply the fix if they're using yarn v3. See the dbAuth "forgot-password" Account Takeover Vulnerability [high] gist for instructions.

Disable the forgot password flow entirely (v3 only)

Users on v3 can disable the forgot password flow entirely.

References

  • GitHub issue: #6343
  • Pull request with the fix: #6778

For More Information: Questions, Issues, Responsible Disclosure

If you have any questions or comments about this advisory:

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CVE ID

No known CVE

Weaknesses

No CWEs