Details:
The DefectDojo documentation referenced an SSO implementation for GitHub that used service level authentication rather than ‘org’ or ‘team’ level authentication.
Impact:
For instances with GitHub OAuth2 enabled, that followed the DefectDojo documentation, any user with a GitHub account could authenticate, however it is important to note that a user would be limited to viewing test types and environment types (permission of least privilege in DefectDojo).
Mitigation:
We are aware that this functionality is a valid use case for MSP’s using DefectDojo. However to help protect any organizations who may have misconfigured, we’ve issued an update (2.19.4) that will cause a breaking change for instances with GitHub OAuth2 enabled, per the DefectDojo documentation. No SaaS customers are impacted by either the issue or the breaking change. For people who desire service level authentication, both DefectDojo’s context processor and settings must be updated.
Credit:
We greatly appreciate Ben Smith & Tim Birkett of PortSwigger for reporting this issue.
portswigger-ben Analyst
Details:
The DefectDojo documentation referenced an SSO implementation for GitHub that used service level authentication rather than ‘org’ or ‘team’ level authentication.
Impact:
For instances with GitHub OAuth2 enabled, that followed the DefectDojo documentation, any user with a GitHub account could authenticate, however it is important to note that a user would be limited to viewing test types and environment types (permission of least privilege in DefectDojo).
Mitigation:
We are aware that this functionality is a valid use case for MSP’s using DefectDojo. However to help protect any organizations who may have misconfigured, we’ve issued an update (2.19.4) that will cause a breaking change for instances with GitHub OAuth2 enabled, per the DefectDojo documentation. No SaaS customers are impacted by either the issue or the breaking change. For people who desire service level authentication, both DefectDojo’s context processor and settings must be updated.
Credit:
We greatly appreciate Ben Smith & Tim Birkett of PortSwigger for reporting this issue.