New
Boost Developer Productivity & Streamline Onboarding with CDE's

Download the Whitepaper

Get a Demo
About
Architecture
Installation
Kubernetes
Docker
OpenShift
Offline deployments
External database
Uninstall
1-click install
Releases
Platforms
AWS
Azure
Docker
GCP
Kubernetes
Additional clusters
Deployment logs
Other platforms
Templates
Working with templates
Your first template
Guided tour
Setting up templates
Change management
Provider authentication
Resource persistence
Terraform modules
Customizing templates
Agent metadata
Resource metadata
UI Resource Ordering
Parameters
Variables
Administering templates
General settings
Permissions
Workspace Scheduling
Open in Coder
Docker in workspaces
Dev Containers
Troubleshooting templates
Process Logging
Icons
Workspaces
IDEs
Web IDEs
JetBrains Gateway
Emacs
Remote Desktops
Networking
Port Forwarding
STUN and NAT
Dotfiles
Secrets
Administration
Authentication
Users
Groups
RBAC
Configuration
External Auth
Upgrading
Automation
Scaling Coder
Reference Architectures
Up to 1,000 users
Up to 2,000 users
Up to 3,000 users
External Provisioners
Workspace Proxies
Application Logs
Audit Logs
Quotas
High Availability
Prometheus
Appearance
Telemetry
Database Encryption
Deployment Health
Enterprise
Contributing
Code of Conduct
Feature stages
Documentation
Security
Frontend
API
General
Agents
Applications
Audit
Authentication
Authorization
Builds
Debug
Enterprise
Files
Git
Insights
Members
Organizations
PortSharing
Schemas
Templates
Users
WorkspaceProxies
Workspaces
Command Line
autoupdate
coder
config-ssh
create
delete
dotfiles
external-auth
external-auth access-token
favorite
features
features list
groups
groups create
groups delete
groups edit
groups list
licenses
licenses add
licenses delete
licenses list
list
login
logout
netcheck
open
open vscode
ping
port-forward
provisionerd
provisionerd start
publickey
rename
reset-password
restart
schedule
schedule override-stop
schedule show
schedule start
schedule stop
server
server create-admin-user
server dbcrypt
server dbcrypt decrypt
server dbcrypt delete
server dbcrypt rotate
server postgres-builtin-serve
server postgres-builtin-url
show
speedtest
ssh
start
stat
stat cpu
stat disk
stat mem
state
state pull
state push
stop
support
support bundle
templates
templates archive
templates create
templates delete
templates edit
templates init
templates list
templates pull
templates push
templates versions
templates versions archive
templates versions list
templates versions unarchive
tokens
tokens create
tokens list
tokens remove
unfavorite
update
users
users activate
users create
users delete
users list
users show
users suspend
version
Security
API tokens of deleted users not invalidated
FAQs
Guides
Generate a Support Bundle
Configuring Okta
Google to AWS Federation
JFrog Artifactory Integration
Template ImagePullSecrets
Postgres SSL
Azure Federation
Scanning Coder Workspaces with JFrog Xray
Home
/
Security
/
API tokens of deleted users not invalidated

API tokens of deleted users not invalidated

API Tokens of deleted users not invalidated

Summary

Coder identified an issue in https://github.com/coder/coder where API tokens belonging to a deleted user were not invalidated. A deleted user in possession of a valid and non-expired API token is still able to use the above token with their full suite of capabilities.

Impact: HIGH

If exploited, an attacker could perform any action that the deleted user was authorized to perform.

Exploitability: HIGH

The CLI writes the API key to ~/.coderv2/session by default, so any deleted user who previously logged in via the Coder CLI has the potential to exploit this. Note that there is a time window for exploitation; API tokens have a maximum lifetime after which they are no longer valid.

The issue only affects users who were active (not suspended) at the time they were deleted. Users who were first suspended and later deleted cannot exploit this issue.

Affected Versions

All versions of Coder between v0.8.15 and v0.22.2 (inclusive) are affected.

All customers are advised to upgrade to v0.23.0 as soon as possible.

Details

Coder incorrectly failed to invalidate API keys belonging to a user when they were deleted. When authenticating a user via their API key, Coder incorrectly failed to check whether the API key corresponds to a deleted user.

Indications of Compromise

💡 Automated remediation steps in the upgrade purge all affected API keys. Either perform the following query before upgrade or run it on a backup of your database from before the upgrade.

Execute the following SQL query:

SELECT
  users.email,
  users.updated_at,
  api_keys.id,
  api_keys.last_used
FROM
  users
LEFT JOIN
  api_keys
ON
  api_keys.user_id = users.id
WHERE
  users.deleted
AND
  api_keys.last_used > users.updated_at
;

If the output is similar to the below, then you are not affected:

-----
(0 rows)

Otherwise, the following information will be reported:

  • User email
  • Time the user was last modified (i.e. deleted)
  • User API key ID
  • Time the affected API key was last used

💡 If your license includes the Audit Logs feature, you can then query all actions performed by the above users by using the filter email:$USER_EMAIL.

See an opportunity to improve our docs? Make an edit.
On this page