Compliance Impact

The vulnerability exposes sensitive OAuth2 client secrets and configuration information, which can lead to unauthorized access to user identity information and impersonation of the application. Such breaches of confidentiality and authentication controls can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

By allowing attackers to potentially access or impersonate user identity data, the vulnerability increases the risk of data breaches, which may result in non-compliance with these standards' requirements for data security, breach notification, and user privacy.

Useful 0 Not Useful 0

Executive Summary

The vulnerability in Actual Budget's sync-server versions 26.4.0 and earlier is in the POST /openid/config endpoint. This endpoint exposes the full OpenID Connect configuration, including the OAuth2 client_secret, to any caller who knows the bootstrap password.

The endpoint lacks authentication and rate limiting, which makes the bootstrap password vulnerable to brute-force attacks. As a result, an attacker can obtain sensitive credentials such as the client_secret, client_id, issuer URL, and endpoint configuration.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including confidentiality breaches and authentication bypass.

An attacker who obtains the OAuth2 client_secret and other OpenID Connect configuration details can impersonate the Actual Budget application to the OpenID provider. This could enable token exchange attacks or unauthorized access to user identity information.

Because the endpoint lacks rate limiting, the bootstrap password can be brute-forced, increasing the risk of compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Actual Budget sync-server version is 26.4.0 or earlier, as these versions expose the full OpenID Connect configuration via the POST /openid/config endpoint.

To detect exploitation attempts or presence of the vulnerability on your network, you can monitor for POST requests to the /openid/config endpoint on the sync-server.

Since the endpoint lacks authentication and rate limiting, repeated POST requests to /openid/config could indicate brute-force attempts on the bootstrap password.

• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to /openid/config.
• Example command to monitor HTTP POST requests to /openid/config using tcpdump: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /openid/config'
• Check server logs for unauthenticated POST requests to /openid/config endpoint.
• Verify the Actual Budget sync-server version by querying the application or checking installed package versions.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Actual Budget sync-server to version 26.5.0 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the sync-server to trusted users and networks to prevent unauthorized access to the /openid/config endpoint.

Implement network-level controls such as firewall rules to limit access to the sync-server.

Monitor for brute-force attempts on the bootstrap password by reviewing logs and network traffic.

Consider rotating the bootstrap password and OAuth2 client_secret after upgrading to prevent misuse of leaked credentials.

Useful 0 Not Useful 0