Security Advisory: Client-protected OAuth resources unprotected

The AlekSIS® team has found a security issue concerning client-protected OAuth resources. These are API endpoints (URL) protected by an OAuth client ID and secret, and currently in use only in the official app "Resint" for time-based documents.

If an OAuth app without a list of allowed scopes was registered, this app could access all time-based documents, instead of none. To exploit this bug, an attacker would have to get hold of a client ID and secret for an OAuth app without a list of allowed scopes, for example by grabbing such information from a public web application using AlekSIS® for authentication.

Not taking into account potential third-party apps, for the official distribution, we consider the practical impact as low, because the only endpoint using this feature is one intended for public display of substitution plans on digital signage displays, and thus only delivers information intended for public display.

The team has fixed the issue forthe upcoming release 2.8.2 of the AlekSIS core, and backported the fix to a new version 2.7.5 for the AlekSIS core series used in the current official AlekSIS distribution release 2021.12 "Bruner". A new version of the distribution, 2021.12.1, will also be tagged shortly. Installations using the documented installation method from the release handbook can be updated by running pip3 install -U aleksis-core==2.7.5 in the virtual environment to update the core, or pip3 install -U aleksis==2021.12.1 to update the entire distribution.