Impact
Affected versions of InvenTree rely on a version of the django-allauth-2fa library which did not require the user to enter their 2FA token when disabling 2FA support for their user account.
Theoretically, a malicious actor with physical access to a users computer, with a logged-in session, could disable 2FA without having access to the users token.
While the attack surface is limited, the InvenTree development team is committed to ensuring the software conforms to best practice.
Patches
- An upstream patch has been submitted to the
django-allauth-2fa library to address this issue.
- The issue will be addressed in the upcoming 0.8.0 release
- The fix will also be ported to the 0.7.4 release
Workarounds
Users should ensure that they log out of any active InvenTree session when leaving their computer unattended.
Currently active sessions are visible in the user settings and can be logged out remotely from there.
References
This issue was found and disclosed responsibly by @dievus .
For more information
dievus Analyst
Impact
Affected versions of InvenTree rely on a version of the django-allauth-2fa library which did not require the user to enter their 2FA token when disabling 2FA support for their user account.
Theoretically, a malicious actor with physical access to a users computer, with a logged-in session, could disable 2FA without having access to the users token.
While the attack surface is limited, the InvenTree development team is committed to ensuring the software conforms to best practice.
Patches
django-allauth-2falibrary to address this issue.Workarounds
Users should ensure that they log out of any active InvenTree session when leaving their computer unattended.
Currently active sessions are visible in the user settings and can be logged out remotely from there.
References
This issue was found and disclosed responsibly by @dievus .
For more information