ghsa-xmgg-fx9p-prq6
Vulnerability from github
Published
2022-09-16 18:38
Modified
2022-09-16 18:38
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
NodeBB account takeover via SSO plugins
Details

This is a historical security advisory, pertaining to a vulnerability that was reported, patched, and published in 2021. It is listed here for completeness and for CVE tracking purposes.

Impact

Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out.

This re-exposed a vulnerability in that a specially crafted MITM attack could theoretically take over another user account during the single sign-on process.

Patches

The issue has been fully patched as of v1.17.2.

The patch commit can be found at https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4

Workarounds

Site maintainers can cherry-pick https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4 into their codebase to patch the exploit.

References

  • https://blogs.opera.com/security/2022/03/bug-bounty-adventures-a-nodebb-0-day/

For more information

If you have any questions or comments about this advisory: * Discuss it on our community forum * Email us at support@nodebb.org

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.17.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nodebb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.17.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T18:38:45Z",
    "nvd_published_at": "2022-09-02T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "_This is a historical security advisory, pertaining to a vulnerability that was reported, patched, and published in 2021. It is listed here for completeness and for CVE tracking purposes._\n\n### Impact\nDue to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out.\n\nThis re-exposed a vulnerability in that a specially crafted MITM attack could theoretically take over another user account during the single sign-on process.\n\n### Patches\nThe issue has been fully patched as of v1.17.2.\n\nThe patch commit can be found at https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4\n\n### Workarounds\nSite maintainers can cherry-pick https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4 into their codebase to patch the exploit.\n\n### References\n* https://blogs.opera.com/security/2022/03/bug-bounty-adventures-a-nodebb-0-day/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Discuss it on [our community forum](community.nodebb.org/)\n* Email us at [support@nodebb.org](mailto:support@nodebb.org)\n",
  "id": "GHSA-xmgg-fx9p-prq6",
  "modified": "2022-09-16T18:38:45Z",
  "published": "2022-09-16T18:38:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NodeBB/NodeBB/security/advisories/GHSA-xmgg-fx9p-prq6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36076"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NodeBB/NodeBB/commit/a2400f6baff44cb2996487bcd0cc6e2acc74b3d4"
    },
    {
      "type": "WEB",
      "url": "https://blogs.opera.com/security/2022/03/bug-bounty-adventures-a-nodebb-0-day"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NodeBB/NodeBB"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NodeBB account takeover via SSO plugins"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.