GHSA-XMGG-FX9P-PRQ6

Vulnerability from github – Published: 2022-09-16 18:38 – Updated: 2022-09-16 18:38
VLAI?
Summary
NodeBB account takeover via SSO plugins
Details

This is a historical security advisory, pertaining to a vulnerability that was reported, patched, and published in 2021. It is listed here for completeness and for CVE tracking purposes.

Impact

Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out.

This re-exposed a vulnerability in that a specially crafted MITM attack could theoretically take over another user account during the single sign-on process.

Patches

The issue has been fully patched as of v1.17.2.

The patch commit can be found at https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4

Workarounds

Site maintainers can cherry-pick https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4 into their codebase to patch the exploit.

References

  • https://blogs.opera.com/security/2022/03/bug-bounty-adventures-a-nodebb-0-day/

For more information

If you have any questions or comments about this advisory: * Discuss it on our community forum * Email us at support@nodebb.org

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.17.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nodebb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.17.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T18:38:45Z",
    "nvd_published_at": "2022-09-02T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "_This is a historical security advisory, pertaining to a vulnerability that was reported, patched, and published in 2021. It is listed here for completeness and for CVE tracking purposes._\n\n### Impact\nDue to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out.\n\nThis re-exposed a vulnerability in that a specially crafted MITM attack could theoretically take over another user account during the single sign-on process.\n\n### Patches\nThe issue has been fully patched as of v1.17.2.\n\nThe patch commit can be found at https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4\n\n### Workarounds\nSite maintainers can cherry-pick https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4 into their codebase to patch the exploit.\n\n### References\n* https://blogs.opera.com/security/2022/03/bug-bounty-adventures-a-nodebb-0-day/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Discuss it on [our community forum](community.nodebb.org/)\n* Email us at [support@nodebb.org](mailto:support@nodebb.org)\n",
  "id": "GHSA-xmgg-fx9p-prq6",
  "modified": "2022-09-16T18:38:45Z",
  "published": "2022-09-16T18:38:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NodeBB/NodeBB/security/advisories/GHSA-xmgg-fx9p-prq6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36076"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4"
    },
    {
      "type": "WEB",
      "url": "https://blogs.opera.com/security/2022/03/bug-bounty-adventures-a-nodebb-0-day"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NodeBB/NodeBB"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NodeBB account takeover via SSO plugins"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.