Listen to this Post
When a user logs into Coder via an OpenID Connect (OIDC) provider, the system stores the issued identity token and any accompanying refresh token. An API key is set in the user’s browser cookies to manage the web session. The vulnerability occurs specifically when the identity provider’s response does not include a refresh token. In this scenario, affected versions of Coder lack a mechanism to re-validate the expired OIDC token. The system incorrectly relies on the unexpired API key cookie for session validity, ignoring the stale OIDC token. Since the API key is configured to automatically extend its lifetime by 24 hours upon each use, a user making regular requests can maintain their session indefinitely, completely bypassing the original OIDC token’s expiration.
Platform: Coder
Version: Affected versions
Vulnerability: Session Fixation
Severity: Medium
date: 2024-01-10
Prediction: 2024-01-31
What Undercode Say:
`curl -H “Cookie: coder_session_token=$APIKEY” $CODER_HOST/api/v2/users/me`
`grep -r “refresh_token” /path/to/coder/datastore/`
`journalctl -u coder –since “1 hour ago” | grep “token expired”`
How Exploit:
Exploit requires valid session. Attacker maintains access after OIDC revocation by continuously using the API key before its 24-hour rolling expiry window closes, preventing the session from being terminated.
Protection from this CVE:
Upgrade to Coder v2.3.0 or apply vendor patch. Configure identity providers to always issue refresh tokens. Alternatively, disable the API key lifetime extension feature in the Coder configuration.
Impact:
Prolonged unauthorized access. Bypass of identity provider access controls. Session integrity failure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
