Security (Deleted User's Tokens Not Invalidated (CVE-2022-46382))
Summary¶
After signing in to Digital Rebar, users are issued authentication tokens tied to their account to perform actions within Digital Rebar. During the validation process of these tokens, Digital Rebar did not check if the user account still exists. Deleted Digital Rebar users could still use their tokens to perform actions within Digital Rebar.
Technical Details¶
Digital Rebar's API supports various authentication methods for API requests: username and password, certificate, and bearer JWT token authentication. The JWT token authentication method is a stateless form of authentication where the Digital Rebar server generates a cryptographically signed token that embeds user and session details, including expiration dates.
A token validation bug was discovered that enabled deleted user accounts to still use previously generated tokens until the token expired. The user details embedded in the token were not being checked to see if the user was still a valid user.
Recommendations¶
A fix has been developed to ensure tokens are only used by valid user accounts. Digital Rebar users should update to the latest fixed version.
Affected Versions¶
| Affected Versions | Fixed Version |
|---|---|
| v4.5 and earlier | v4.6.15 |
| v4.6 | v4.6.15 |
| v4.7 | v4.7.23 |
| v4.8 | v4.8.6 |
| v4.9 | v4.9.13 |
| v4.10 | v4.10.9 |
Common Vulnerability Scoring System (CVSS) Score¶
| CVSS Base Score | 7.4 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L