Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: add security advisories to docs#7282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
johnstcn merged 2 commits intomainfromcj/docs/sec43
Apr 25, 2023
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletionsdocs/images/icons/security.svg
View file
Open in desktop
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 13 additions & 0 deletionsdocs/manifest.json
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -825,6 +825,19 @@
"path": "cli/version.md"
}
]
},
{
"title": "Security",
"description": "Security advisories",
"path": "./security/index.md",
"icon_path": "./images/icons/security.svg",
"children": [
{
"title": "API tokens of deleted users not invalidated",
"description": "Fixed in v0.23.0 (Apr 25, 2023)",
"path": "./security/0001_user_apikeys_invalidation.md"
}
]
}
]
}
68 changes: 68 additions & 0 deletionsdocs/security/0001_user_apikeys_invalidation.md
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
# API Tokens of deleted users not invalidated

---

## Summary

Coder identified an issue in [https://github.com/coder/coder](https://github.com/coder/coder) where API tokens belonging to a deleted user were not invalidated. A deleted user in possession of a valid and non-expired API token is still able to use the above token with their full suite of capabilities.

## Impact: HIGH

If exploited, an attacker could perform any action that the deleted user was authorized to perform.

## Exploitability: HIGH

The CLI writes the API key to `~/.coderv2/session` by default, so any deleted user who previously logged in via the Coder CLI has the potential to exploit this. Note that there is a time window for exploitation; API tokens have a maximum lifetime after which they are no longer valid.

The issue only affects users who were active (not suspended) at the time they were deleted. Users who were first suspended and later deleted cannot exploit this issue.

## Affected Versions

All versions of Coder between v0.8.15 and v0.22.2 (inclusive) are affected.

All customers are advised to upgrade to [v0.23.0](https://github.com/coder/coder/releases/tag/v0.23.0) as soon as possible.

## Details

Coder incorrectly failed to invalidate API keys belonging to a user when they were deleted. When authenticating a user via their API key, Coder incorrectly failed to check whether the API key corresponds to a deleted user.

## Indications of Compromise

> 💡 Automated remediation steps in the upgrade purge all affected API keys. Either perform the following query before upgrade or run it on a backup of your database from before the upgrade.

Execute the following SQL query:

```sql
SELECT
users.email,
users.updated_at,
api_keys.id,
api_keys.last_used
FROM
users
LEFT JOIN
api_keys
ON
api_keys.user_id = users.id
WHERE
users.deleted
AND
api_keys.last_used > users.updated_at
;
```

If the output is similar to the below, then you are not affected:

```sql
-----
(0 rows)
```

Otherwise, the following information will be reported:

- User email
- Time the user was last modified (i.e. deleted)
- User API key ID
- Time the affected API key was last used

> 💡 If your license includes the [Audit Logs](https://coder.com/docs/v2/latest/admin/audit-logs#filtering-logs) feature, you can then query all actions performed by the above users by using the filter `email:$USER_EMAIL`.
15 changes: 15 additions & 0 deletionsdocs/security/index.md
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
# Security Advisories

> If you discover a vulnerability in Coder, please do not hesitate to report it to us by following the instructions [here](https://github.com/coder/coder/blob/main/SECURITY.md).

From time to time, Coder employees or other community members may discover vulnerabilities in the product.

If a vulnerability requires an immediate upgrade to mitigate a potential security risk, we will add it to the below table.

Click on the description links to view more details about each specific vulnerability.

---

| Description | Severity | Fix | Vulnerable Versions |
| ---------------------------------------------------------------------------------- | -------- | -------------------------------------------------------------- | ------------------- |
| [API tokens of deleted users not invalidated](./0001_user_apikeys_invalidation.md) | HIGH | [v0.23.0](https://github.com/coder/coder/releases/tag/v0.23.0) | v0.8.25 - v0.22.2 |
[8]ページ先頭
©2009-2025 Movatter.jp