Outline Privilege Escalation Vulnerability in OAuth Scope Validation Logic

A logic error has been identified in the OAuth scope validation process of the Outline application, specifically in versions 0.84.0 prior to 1.6.1. The issue arises in the 'validateScope' function, which improperly uses 'Array.some()' to validate requested OAuth scopes. This flaw allows an attacker to introduce the wildcard scope by requesting 'scope=read *', thereby escalating a read-only OAuth token to full unrestricted API access, including write, delete, and admin privileges. The vulnerability has been patched in version 1.7.0.

Impact

Exploiting this vulnerability allows a read-only OAuth token to gain full access to the API, including write, delete, and admin rights. This could lead to unauthorized modification or deletion of data, as well as changes to administrative settings.

Reproduction

To reproduce this vulnerability, register an OAuth client via Dynamic Client Registration (DCR). Then, initiate authorization by requesting the 'scope=read *' parameter. The 'validateScope' function will incorrectly validate the scope, allowing the token to be issued with wildcard access. Once the token is obtained, it can be used to access all API endpoints with full permissions.

Remediation

Users are advised to update to Outline version 1.7.0 or later, where this vulnerability has been fixed.