Note Mark Password Bypass Vulnerability in OIDC Users Allowing Session Hijacking

A vulnerability in Note Mark version 0.19.2 allows unauthorized access to OIDC-registered users' accounts by exploiting a flaw in password handling during authentication. The issue arises because OIDC users are created with an empty password, and the application mistakenly treats 'null' as a valid password. This flaw enables anyone to log in as an OIDC user without proper credentials, bypassing authentication entirely. The vulnerability is present in the internal login endpoint and requires no user interaction.

Impact

Exploitation of this vulnerability allows for unauthorized access to OIDC users' accounts, enabling an attacker to read, modify, or delete their notes and assets. Additionally, it allows for persistent account takeover by changing the user's password.

Reproduction

To reproduce this vulnerability, register an OIDC user in Note Mark version 0.19.2, which will be created with an empty password. Then, send a request to the internal login endpoint with 'password: "null"'. This will result in a valid session for the OIDC user, allowing access to their account.

Remediation

Users can update to Note Mark version 0.19.3, where this vulnerability has been patched.