CVE-2023-48220
Possibility to circumvent the invitation token expiry period
Description
### Impact The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the `devise_invitable` gem: https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198 The only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period as explained in the gem's documentation: https://github.com/scambra/devise_invitable#model-configuration- > `invite_for`: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. When `invite_for` is `0` (the default), the invitation won’t expire. Decidim sets this configuration to `2.weeks` so this configuration should be respected: https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134 The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. ### Patches Update `devise_invitable` to version `2.0.9` or above by running the following command: ``` $ bundle update devise_invitable ``` ### Workarounds The invitations can be cancelled directly from the database by running the following command from the Rails console: ``` > Decidim::User.invitation_not_accepted.update_all(invitation_token: nil) ``` ### References OWASP ASVS V4.0.3-2.3.1 This bug has existed in the `devise_invitable` gem since this commit which was first included in the `v0.4.rc3` release of this gem: https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098 All versions since then are affected. This gem was first introduced at its version `~> 1.7.0` to the `decidim-admin` gem in this commit which was first included in the `v0.0.1.alpha3` release of Decidim: https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34 It was first introduced at its version `~> 1.7.0` to the `decidim-system` gem in this commit which was also first included in the `v0.0.1.alpha3` release of Decidim: https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454 ### Credits This issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by [Deloitte Finland](https://www2.deloitte.com/fi/fi.html).