Skip to content

Possibility to circumvent the invitation token expiry period

Moderate severity GitHub Reviewed Published Feb 20, 2024 in decidim/decidim • Updated Feb 20, 2024

Package

bundler decidim (RubyGems)

Affected versions

>= 0.0.1.alpha3, < 0.26.9
>= 0.27.0, < 0.27.5

Patched versions

0.26.9
0.27.5
bundler decidim-admin (RubyGems)
>= 0.0.1.alpha3, < 0.26.9
>= 0.27.0, < 0.27.5
0.26.9
0.27.5
bundler decidim-system (RubyGems)
>= 0.0.1.alpha3, < 0.26.9
>= 0.27.0, < 0.27.5
0.26.9
0.27.5
bundler devise_invitable (RubyGems)
>= 0.4.rc3, < 2.0.9
2.0.9

Description

Impact

The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.

When using the password reset functionality, the devise_invitable gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the devise_invitable gem:
https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198

The only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the invite_for expiry period as explained in the gem's documentation:
https://github.com/scambra/devise_invitable#model-configuration-

invite_for: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. When invite_for is 0 (the default), the invitation won’t expire.

Decidim sets this configuration to 2.weeks so this configuration should be respected:
https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134

The bug is in the devise_invitable gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.

Patches

Update devise_invitable to version 2.0.9 or above by running the following command:

$ bundle update devise_invitable

Workarounds

The invitations can be cancelled directly from the database by running the following command from the Rails console:

> Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)

References

OWASP ASVS V4.0.3-2.3.1

This bug has existed in the devise_invitable gem since this commit which was first included in the v0.4.rc3 release of this gem:
scambra/devise_invitable@94d859c

All versions since then are affected.

This gem was first introduced at its version ~> 1.7.0 to the decidim-admin gem in this commit which was first included in the v0.0.1.alpha3 release of Decidim:
decidim/decidim@073e60e

It was first introduced at its version ~> 1.7.0 to the decidim-system gem in this commit which was also first included in the v0.0.1.alpha3 release of Decidim:
decidim/decidim@b128007

Credits

This issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by Deloitte Finland.

References

@andreslucena andreslucena published to decidim/decidim Feb 20, 2024
Published by the National Vulnerability Database Feb 20, 2024
Published to the GitHub Advisory Database Feb 20, 2024
Reviewed Feb 20, 2024
Last updated Feb 20, 2024

Severity

Moderate
5.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

CVE-2023-48220

GHSA ID

GHSA-w3q8-m492-4pwp

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.