Skip to content

Possibility to circumvent the invitation token expiry period

Moderate severity GitHub Reviewed Published Feb 20, 2024 in decidim/decidim • Updated Feb 20, 2024

Package

bundler decidim (RubyGems)

Affected versions

>= 0.0.1.alpha3, < 0.26.9
>= 0.27.0, < 0.27.5

Patched versions

0.26.9
0.27.5
bundler decidim-admin (RubyGems)
>= 0.0.1.alpha3, < 0.26.9
>= 0.27.0, < 0.27.5
0.26.9
0.27.5
bundler decidim-system (RubyGems)
>= 0.0.1.alpha3, < 0.26.9
>= 0.27.0, < 0.27.5
0.26.9
0.27.5
bundler devise_invitable (RubyGems)
>= 0.4.rc3, < 2.0.9
2.0.9

Description

Impact

The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.

When using the password reset functionality, the devise_invitable gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the devise_invitable gem:
https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198

The only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the invite_for expiry period as explained in the gem's documentation:
https://github.com/scambra/devise_invitable#model-configuration-

invite_for: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. When invite_for is 0 (the default), the invitation won’t expire.

Decidim sets this configuration to 2.weeks so this configuration should be respected:
https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134

The bug is in the devise_invitable gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.

Patches

Update devise_invitable to version 2.0.9 or above by running the following command:

$ bundle update devise_invitable

Workarounds

The invitations can be cancelled directly from the database by running the following command from the Rails console:

> Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)

References

OWASP ASVS V4.0.3-2.3.1

This bug has existed in the devise_invitable gem since this commit which was first included in the v0.4.rc3 release of this gem:
scambra/devise_invitable@94d859c

All versions since then are affected.

This gem was first introduced at its version ~> 1.7.0 to the decidim-admin gem in this commit which was first included in the v0.0.1.alpha3 release of Decidim:
decidim/decidim@073e60e

It was first introduced at its version ~> 1.7.0 to the decidim-system gem in this commit which was also first included in the v0.0.1.alpha3 release of Decidim:
decidim/decidim@b128007

Credits

This issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by Deloitte Finland.

References

@andreslucena andreslucena published to decidim/decidim Feb 20, 2024
Published by the National Vulnerability Database Feb 20, 2024
Published to the GitHub Advisory Database Feb 20, 2024
Reviewed Feb 20, 2024
Last updated Feb 20, 2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(68th percentile)

Weaknesses

Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. Learn more on MITRE.

CVE ID

CVE-2023-48220

GHSA ID

GHSA-w3q8-m492-4pwp

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.