ContextQMD
Back to Gitlabhq

Exposure of confidential secret or token Linear client secret or ID (OAuth 2.0)

doc/user/application_security/dast/browser/checks/798.67.md

18.11.21.6 KB
Original Source

Description

The response body contains content that matches the pattern of an OAuth 2.0 Linear client secret or ID was identified. Client secrets are used when allowing users to sign in to your application. Depending on the scopes requested, a malicious actor could impersonate the service to access a user's information. Exposing this value could allow attackers to gain access to all resources granted by this token.

Remediation

For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.

To revoke a Linear OAuth 2.0 Client secret:

  • Sign in to your account at https://linear.app/
  • Select your organization in the upper-left corner and select "Preferences"
  • In the left-hand menu, select "API" under "My Account"
  • In the "OAuth Applications" section of the page, find the application that contains the identified key
  • Select the ellipsis to the right of the application name and then select "Manage application" - Next to the "Admin Actions" select "Rotate secret
  • When prompted, select "Rotate" in the "Rotate your client secret?" dialog

For more information, please see Linear's documentation on OAuth 2.0 authentication.

Details

IDAggregatedCWETypeRisk
798.67false798PassiveHigh