From 6b8a44e36d170d7e39b97c15acaea66a72b8bcd7 Mon Sep 17 00:00:00 2001 From: virkt25 Date: Wed, 8 Aug 2018 16:32:11 -0400 Subject: [PATCH] docs: accesstoken security advisory --- _data/sidebars/lb2_sidebar.yml | 4 ++ _data/sidebars/lb3_sidebar.yml | 4 ++ pages/en/lb2/Security-advisory-08-08-2018.md | 50 ++++++++++++++++++++ pages/en/lb3/Security-advisory-08-08-2018.md | 50 ++++++++++++++++++++ 4 files changed, 108 insertions(+) create mode 100644 pages/en/lb2/Security-advisory-08-08-2018.md create mode 100644 pages/en/lb3/Security-advisory-08-08-2018.md diff --git a/_data/sidebars/lb2_sidebar.yml b/_data/sidebars/lb2_sidebar.yml index 07c78e830..25c186f1d 100644 --- a/_data/sidebars/lb2_sidebar.yml +++ b/_data/sidebars/lb2_sidebar.yml @@ -150,6 +150,10 @@ children: output: 'web, pdf' children: + - title: '08-08-2018' + url: Security-advisory-08-08-2018.html + output: 'web, pdf' + - title: '01-31-2018' url: Security-advisory-01-31-2018.html output: 'web, pdf' diff --git a/_data/sidebars/lb3_sidebar.yml b/_data/sidebars/lb3_sidebar.yml index d12f35a4d..53293deb0 100644 --- a/_data/sidebars/lb3_sidebar.yml +++ b/_data/sidebars/lb3_sidebar.yml @@ -132,6 +132,10 @@ children: output: 'web, pdf' children: + - title: '08-08-2018' + url: Security-advisory-08-08-2018.html + output: 'web, pdf' + - title: '01-31-2018' url: Security-advisory-01-31-2018.html output: 'web, pdf' diff --git a/pages/en/lb2/Security-advisory-08-08-2018.md b/pages/en/lb2/Security-advisory-08-08-2018.md new file mode 100644 index 000000000..4b741d4a1 --- /dev/null +++ b/pages/en/lb2/Security-advisory-08-08-2018.md @@ -0,0 +1,50 @@ +--- +title: "Security advisory 08-08-2018" +lang: en +layout: page +toc: false +keywords: LoopBack +tags: security +sidebar: lb2_sidebar +permalink: /doc/en/lb2/Security-advisory-08-08-2018.html +--- + +* **Security risk**: TBD +* **Vulnerability**: AccessToken API (if exposed) allows anyone to create a Token + +### Description + +LoopBack provides a built-in `User` management / authentication and authorization solution. As part of this solution, a User must have an `AccessToken` to authenticate themselves against APIs requiring authentication / authorization for data access. + +By default the `AccessToken` Model is not exposed over a REST API but this configuration can be changed by a user in `model-config.json` by changing the `public` property to `true` or removing it (defaults to true if missing). Unless this API is exposed, a user is not vulnerable. + +If the `AccessToken` Model is exposed over a REST API, it is then possible for anyone to create an `AccessToken` for any `User` provided they know the `userId` and can hence get access to the other user's data / access to their privileges (if the user happens to be an Admin for example). + +### Reported by + +[@zbarbutos](https://github.com/zbarbuto) via Gitter + +### Versions affected + +loopback version 2.39.2 and below + +### Solution + +Upgrade to loopback 2.40.0 or later if your repository is using an outdated loopback package. + +Ensure that your application's `package.json` has the following line: + +```js +"dependencies": { + ... + "loopback": "^2.40.0", + ... + }, +``` + +Then upgrade your project dependencies to use the latest version : + +``` +$ cd +$ npm update +``` diff --git a/pages/en/lb3/Security-advisory-08-08-2018.md b/pages/en/lb3/Security-advisory-08-08-2018.md new file mode 100644 index 000000000..6ddbe1456 --- /dev/null +++ b/pages/en/lb3/Security-advisory-08-08-2018.md @@ -0,0 +1,50 @@ +--- +title: "Security advisory 08-08-2018" +lang: en +layout: page +toc: false +keywords: LoopBack +tags: security +sidebar: lb3_sidebar +permalink: /doc/en/lb3/Security-advisory-08-08-2018.html +--- + +* **Security risk**: TBD +* **Vulnerability**: AccessToken API (if exposed) allows anyone to create a Token + +### Description + +LoopBack provides a built-in `User` management / authentication and authorization solution. As part of this solution, a User must have an `AccessToken` to authenticate themselves against APIs requiring authentication / authorization for data access. + +By default the `AccessToken` Model is not exposed over a REST API but this configuration can be changed by a user in `model-config.json` by changing the `public` property to `true` or removing it (defaults to true if missing). Unless this API is exposed, a user is not vulnerable. + +If the `AccessToken` Model is exposed over a REST API, it is then possible for anyone to create an `AccessToken` for any `User` provided they know the `userId` and can hence get access to the other user's data / access to their privileges (if the user happens to be an Admin for example). + +### Reported by + +[@zbarbutos](https://github.com/zbarbuto) via Gitter + +### Versions affected + +loopback version 3.21.0 and below + +### Solution + +Upgrade to loopback 3.22.0 or later if your repository is using an outdated loopback package. + +Ensure that your application's `package.json` has the following line: + +```js +"dependencies": { + ... + "loopback": "^3.22.0", + ... + }, +``` + +Then upgrade your project dependencies to use the latest version : + +``` +$ cd +$ npm update +```