EyeDP uses the auditable gem to audit changes in sensitive model objects, such as users and groups. The resulting audit log contain the history of the changes. However, the audit logs end up including sensitive authentication information, such as plaintext API keys and reset password tokens.
This is a result of using the audited gem by specifying in the ActiveRecord models the keyword audited.
For example, the following Figure shows a password reset token included in the audit log.
Likewise, when rotating the secret for a SSO app, the user interface states that "This secret will only be displayed once, copy it to another location to use!". However, the secret is accessible from the audit logs, as shown in the following Figure.
Impact
Although this information can only be accessed by administrators, this could have security impact as it may hinder auditing: for example, if the reset password token is disclosed, an administrator can impersonate another user and perform actions on their behalf, without leaving traces of the impersonation in audit logs. Furthermore, in case future changes to the permission model, adding a user level that can access audit log without being able to perform changes (e.g., security auditor) may allow impersonation of privileged users and administrators.
Patches
This issue is resolved in commit 16798c. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory:
EyeDP uses the auditable gem to audit changes in sensitive model objects, such as users and groups. The resulting audit log contain the history of the changes. However, the audit logs end up including sensitive authentication information, such as plaintext API keys and reset password tokens.
This is a result of using the
auditedgem by specifying in the ActiveRecord models the keywordaudited.For example, the following Figure shows a password reset token included in the audit log.
Likewise, when rotating the secret for a SSO app, the user interface states that "This secret will only be displayed once, copy it to another location to use!". However, the secret is accessible from the audit logs, as shown in the following Figure.
Impact
Although this information can only be accessed by administrators, this could have security impact as it may hinder auditing: for example, if the reset password token is disclosed, an administrator can impersonate another user and perform actions on their behalf, without leaving traces of the impersonation in audit logs. Furthermore, in case future changes to the permission model, adding a user level that can access audit log without being able to perform changes (e.g., security auditor) may allow impersonation of privileged users and administrators.
Patches
This issue is resolved in commit 16798c. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory: