CVE-2023-45814: Tokens cached in the AuthenticationService are susceptible to reuse in Bunkum
First published: Wed Oct 18 2023(Updated: )
### Impact First, a little bit of background. So, in the beginning, Bunkum's `AuthenticationService` only supported injecting `IUser`s. However, as Refresh and SoundShapesServer implemented permissions systems support for injecting `IToken`s into endpoints was added. All was well until 4.0. Bunkum 4.0 then changed to enforce relations between `IToken`s and `IUser`s. This wasn't implemented in a very good way in the `AuthenticationService`, and ended up breaking caching in such a way that cached tokens would persist after the lifetime of the request - since we tried to cache both tokens and users. From that point until now, from what I understand, Bunkum was attempting to use that cached token at the start of the next request once cached. Naturally, when that token expired, downstream projects like Refresh would remove the object from Realm - and cause the object in the cache to be in a detached state, causing an exception from invalid use of `IToken.User`. So in other words, a use-after-free since Realm can't manage the lifetime of the cached token. Security-wise, the scope is fairly limited, can only be pulled off on a couple endpoints given a few conditions, and you can't guarantee which token you're going to get. Also, the token *would* get invalidated properly if the endpoint had either a `IToken` usage or a `IUser` usage. User interaction is required as authenticated requests must be performed. ### Patches The fix is to just wipe the token cache after the request was handled, which is now in `4.2.1`. I'd recommend that you update. Unfortunately, there are no real workarounds for other versions in the 4.X.X range.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| nuget/Bunkum | >=4.0.0<4.2.1 | 4.2.1 |
| LittleCMS | >=4.0<4.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2023-45814.
What is the severity of CVE-2023-45814?
The severity of CVE-2023-45814 is medium with a severity value of 5.3.
What is the impact of CVE-2023-45814?
The impact of CVE-2023-45814 is that the AuthenticationService in Bunkum allows injecting IToken into endpoints, which can lead to unauthorized access and potential security breaches.
How can I fix CVE-2023-45814?
To fix CVE-2023-45814, update Bunkum to version 4.2.1 or later, as this version includes the necessary remedies to address the vulnerability.
Where can I find more information about CVE-2023-45814?
You can find more information about CVE-2023-45814 at the following references: [GitHub Security Advisory](https://github.com/LittleBigRefresh/Bunkum/security/advisories/GHSA-jrf2-h5j6-3rrq), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-45814), [Bunkum Commit](https://github.com/LittleBigRefresh/Bunkum/commit/6e109464ed9255f558182f001f475a378405ff76).
- collector/github-advisory-latest
- alias/GHSA-jrf2-h5j6-3rrq
- alias/CVE-2023-45814
- collector/nvd-index
- collector/github-advisory
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/weakness
- agent/remedy
- agent/title
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/nuget
- vendor/littlebigfresh
- canonical/littlecms
- version/littlecms/4.0