CVE-2021-28680

The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value became publicly known (for instance if it is committed to a public repository by mistake), there are still other protections in place that prevent an attacker from impersonating any user on the site. When masquerading is not used in a plain Devise application, one must know the password salt of the target user if one wants to encrypt and sign a valid session cookie. When devise_masquerade is used, however, an attacker can decide which user the "back" action will go back to without knowing that user's password salt and simply knowing the user ID, by manipulating the session cookie and pretending that a user is already masqueraded by an administrator.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/oivoodoo/devise_masquerade/issues/83	Issue Tracking Third Party Advisory
https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:devise_masquerade_project:devise_masquerade:*:*:*:*:*:ruby:*:*

History

No history.

Information

Published : 2021-12-07 21:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-28680

Mitre link : CVE-2021-28680

CVE.ORG link : CVE-2021-28680

JSON object : View

Products Affected

devise_masquerade_project

devise_masquerade

CWE

NVD-CWE-noinfo

{"id": "CVE-2021-28680", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2021-12-07T21:15:08.133", "references": [{"url": "https://github.com/oivoodoo/devise_masquerade/issues/83", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value became publicly known (for instance if it is committed to a public repository by mistake), there are still other protections in place that prevent an attacker from impersonating any user on the site. When masquerading is not used in a plain Devise application, one must know the password salt of the target user if one wants to encrypt and sign a valid session cookie. When devise_masquerade is used, however, an attacker can decide which user the \"back\" action will go back to without knowing that user's password salt and simply knowing the user ID, by manipulating the session cookie and pretending that a user is already masqueraded by an administrator."}, {"lang": "es", "value": "devise_masquerade gem versiones anteriores a 1.3, permite determinados ataques cuando se desconoce el salt de una contrase\u00f1a. Una aplicaci\u00f3n que usa esta gema para permitir a administradores enmascarar/impersonar a usuarios pierde una capa de protecci\u00f3n de seguridad en comparaci\u00f3n con una situaci\u00f3n en la que se usa Devise (sin esta extensi\u00f3n). Si el valor de secret_key_base del lado del servidor se hace p\u00fablicamente conocido (por ejemplo, si es comprometido a un repositorio p\u00fablico por error), todav\u00eda se presentan otras protecciones en el lugar que impiden a un atacante hacerse pasar por cualquier usuario en el sitio. Cuando no se usa el enmascaramiento en una aplicaci\u00f3n devise_masquerade, uno debe conocer el salt de la contrase\u00f1a del usuario objetivo si quiere cifrar y firmar una cookie de sesi\u00f3n v\u00e1lida. Sin embargo, cuando es usada devise_masquerade, un atacante puede decidir a qu\u00e9 usuario volver\u00e1 la acci\u00f3n \"back\" sin conocer el salt de la contrase\u00f1a de ese usuario y simplemente conociendo el ID del usuario, al manipular la cookie de sesi\u00f3n y fingiendo que un usuario ya est\u00e1 enmascarado por un administrador"}], "lastModified": "2021-12-13T18:28:50.637", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:devise_masquerade_project:devise_masquerade:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "79CC6B34-9869-474E-8C73-627B70DF22ED", "versionEndExcluding": "1.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}