{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/passport/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Laravel Passport"],"_cs_severities":["high"],"_cs_tags":["laravel","passport","oauth2","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Laravel"],"content_html":"\u003cp\u003eLaravel Passport, a popular OAuth2 server package for Laravel applications, is vulnerable to an authentication bypass. Specifically, in versions prior to 13.7.1, when using \u003ccode\u003eclient_credentials\u003c/code\u003e grant type tokens, the library sets the JWT \u003ccode\u003esub\u003c/code\u003e claim to the client identifier. The \u003ccode\u003eTokenGuard\u003c/code\u003e then uses this client identifier without validating that it is actually a user ID, leading to a scenario where an attacker-controlled client ID may resolve to an existing user. The risk is amplified when \u003ccode\u003ePassport::$clientUuids\u003c/code\u003e is set to \u003ccode\u003efalse\u003c/code\u003e or the \u003ccode\u003eEnsureClientIsResourceOwner\u003c/code\u003e middleware is in use, potentially resulting in machine-to-machine tokens inadvertently authenticating as actual users. This vulnerability allows unauthorized access to resources intended for specific users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Laravel application using a vulnerable version of Laravel Passport (\u0026lt;13.7.1) that uses \u003ccode\u003eclient_credentials\u003c/code\u003e grants.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new OAuth2 client within the vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the client ID of the registered client.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003eclient_credentials\u003c/code\u003e token request to the \u003ccode\u003e/oauth/token\u003c/code\u003e endpoint, using the client's ID and secret.\u003c/li\u003e\n\u003cli\u003eThe OAuth2 server generates a JWT access token. The \u003ccode\u003esub\u003c/code\u003e claim in this token is set to the client ID.\u003c/li\u003e\n\u003cli\u003eThe attacker makes a request to an API endpoint that is protected by Passport's \u003ccode\u003eauth:api\u003c/code\u003e guard using the crafted JWT access token.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTokenGuard\u003c/code\u003e extracts the client ID from the \u003ccode\u003esub\u003c/code\u003e claim of the JWT.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTokenGuard\u003c/code\u003e calls \u003ccode\u003eretrieveById()\u003c/code\u003e using the client ID. If a user exists with an ID that matches the client ID, the \u003ccode\u003eretrieveById()\u003c/code\u003e method will return that user. The application incorrectly authenticates the request as that unrelated user, granting unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to significant data breaches and unauthorized access to user accounts. An attacker could gain access to sensitive information, perform actions on behalf of legitimate users, or escalate privileges within the application. The impact depends on the scope of data and actions accessible to a successfully impersonated user. This vulnerability affects all applications using Laravel Passport versions prior to 13.7.1 that have either disabled UUIDs for clients or are using the \u003ccode\u003eEnsureClientIsResourceOwner\u003c/code\u003e middleware in a vulnerable configuration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Laravel Passport version 13.7.1 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a workaround, disallow the use of \u003ccode\u003eclient_credentials\u003c/code\u003e grant type to prevent the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview the configuration of \u003ccode\u003ePassport::$clientUuids\u003c/code\u003e and ensure it is set to \u003ccode\u003etrue\u003c/code\u003e to mitigate the risk (see documentation in Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Laravel Passport Authentication Bypass Attempt\u0026quot; to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-16T12:00:00Z","date_published":"2024-01-16T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-laravel-passport-auth-bypass/","summary":"Laravel Passport before v13.7.1 allows an authentication bypass via client credentials tokens, where a client's identifier can be used to impersonate a user if `Passport::$clientUuids` is set to false or the EnsureClientIsResourceOwner middleware is in use.","title":"Laravel Passport Authentication Bypass via Client Credentials Tokens","url":"https://feed.craftedsignal.io/briefs/2024-01-laravel-passport-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Passport","version":"https://jsonfeed.org/version/1.1"}