Skip to content

Insertion of Sensitive Information into Log File in EyeDP

Low
ChrisMacNaughton published GHSA-gfcm-jpcv-cgm6 Jan 29, 2022

Package

EyeDP (Product)

Affected versions

<= 1.0.0.0b1

Patched versions

1.0.0

Description

EyeDP uses the auditable gem to audit changes in sensitive model objects, such as users and groups. The resulting audit log contain the history of the changes. However, the audit logs end up including sensitive authentication information, such as plaintext API keys and reset password tokens.
This is a result of using the audited gem by specifying in the ActiveRecord models the keyword audited.
For example, the following Figure shows a password reset token included in the audit log.

image

Likewise, when rotating the secret for a SSO app, the user interface states that "This secret will only be displayed once, copy it to another location to use!". However, the secret is accessible from the audit logs, as shown in the following Figure.

image

Impact

Although this information can only be accessed by administrators, this could have security impact as it may hinder auditing: for example, if the reset password token is disclosed, an administrator can impersonate another user and perform actions on their behalf, without leaving traces of the impersonation in audit logs. Furthermore, in case future changes to the permission model, adding a user level that can access audit log without being able to perform changes (e.g., security auditor) may allow impersonation of privileged users and administrators.

Patches

This issue is resolved in commit 16798c. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.

Workarounds

None

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

No known CVE

Weaknesses