{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/883754#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe default security configuration in Salesforce allows an authenticated user with the Salesforce-CLI to create URL that will allow anyone, anywhere access to the Salesforce GUI with the same administrative credentials without a log trace of access or usage of the API.\r\n### Description\r\nThe Salesforce-cli interface allows an authenticated user to create an access URL using the CLI interface.  This URL can be shared as a link, so anyone who has the link can access this site from anywhere (any IP address or any device) with the same access rights as the creator or the URL. This access is only available for the duration of the access token, however this new access will not be logged or tracked in any way available to the user or to the user's organization.  The generated URL requires no user/pass or any form of challenge/response, such as MFA, to verify the identity of the new access. [OWASP API Security 2019 ](https://owasp.org/www-project-api-security/ ) recommends a number of protections (relevant sections API2:2019, API6:2019 and API10:2019)  of API endpoints that will prevent potential abuse of such API endpoints by malicious actors, including malicious insiders.\r\n\r\n### Impact\r\nAn unauthenticated user who gains access to an URL, generated by Salesforce-cli, can perform administrative actions as if logged in with the same rights as the account owner who generated the URL. This includes the ability to add user accounts that have administrative rights, manage existing users or applications, and any other action that is available to the user who generated the URL.\r\n\r\n### Solution\r\nIn the Salesforce GUI you can [Modify Session Security Settings](https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5), it is possible to Lock Sessions to the IP address that the session originated on, which would limit the ability for the URL to be shared with other hosts. The default configuration does not have this lock enabled because it may impact various applications and some mobile devices. It is also possible to lock down sessions using domain names instead of IP addresses. It is recommended that Salesforce customers verify that their applications do not require such untethered or unmonitored access or that using custom generated URL's is currently required in their operations before enforcing the above recommended access control. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Joseph Allen, for reporting this vulnerability.\r\n\r\nThis document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"At Salesforce, Trust is our #1 value, and we take the protection of our customers’ data very seriously. For additional information, please refer to Knowledge Article Number 000363271, [Configuration of Salesforce Developer Experience Command Line Interface](https://help.salesforce.com/s/articleView?id=000363271&type=1).","title":"Vendor statment from salesforce.com"},{"category":"other","text":"The Salesforce-cli can authenticate to the Salesforce GUI with the user's current credentials via an API call.  The credentials can be presented as a URL that can be sent via email, thereby opening an authenticated page on the Salesforce GUI. The lack of MFA enables the URL to bypass any additional security checks. This new access from a different location is not logged. The default restriction is the expiration of the access token, but if the URL is accessed before the expiration, the authenticated user can create new administrators or perform other administrative operations that the authenticated user has permission to perform. The attack is prevented by changing the default configuration to [Lock session by IP]](https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5).  Salesforce indicates that this control may impact mobile devices or other Salesforce applications, so testing prior to deployment is recommended.","title":"CERT/CC comment on salesforce.com notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/883754"},{"url":"https://help.salesforce.com/s/articleView?id=000363271&type=1","summary":"https://help.salesforce.com/s/articleView?id=000363271&type=1"},{"url":"https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5","summary":"https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5"},{"url":"https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/salesforce_security_guide.htm","summary":"https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/salesforce_security_guide.htm"},{"url":"https://developer.salesforce.com/docs/atlas.en-us.234.0.sfdx_dev.meta/sfdx_dev/sfdx_dev_intro.htm","summary":"https://developer.salesforce.com/docs/atlas.en-us.234.0.sfdx_dev.meta/sfdx_dev/sfdx_dev_intro.htm"},{"url":"https://help.salesforce.com/s/articleView?id=000332032&type=1","summary":"https://help.salesforce.com/s/articleView?id=000332032&type=1"},{"url":"https://developer.salesforce.com/docs/atlas.en-us.234.0.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_web_flow.htm","summary":"https://developer.salesforce.com/docs/atlas.en-us.234.0.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_web_flow.htm"},{"url":"https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_connected_app.htm","summary":"https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_connected_app.htm"},{"url":"https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/quickstart_oauth.htm","summary":"https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/quickstart_oauth.htm"},{"url":"https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_refresh_token_flow.htm&type=5","summary":"https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_refresh_token_flow.htm&type=5"},{"url":"https://help.salesforce.com/s/articleView?id=sf.remoteaccess_revoke_token.htm&type=5","summary":"https://help.salesforce.com/s/articleView?id=sf.remoteaccess_revoke_token.htm&type=5"},{"url":"https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/cli_reference_auth_sfdxurl.htm","summary":"https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/cli_reference_auth_sfdxurl.htm"},{"url":"https://salesforce.stackexchange.com/questions/276299/what-is-sfdx-auth-url-attribute-used-for","summary":"https://salesforce.stackexchange.com/questions/276299/what-is-sfdx-auth-url-attribute-used-for"},{"url":"https://help.salesforce.com/apex/HTViewSolution?id=000363271&language=en_US","summary":"Reference(s) from vendor \"salesforce.com\""}],"title":"Salesforce DX command line interface (CLI) does not adequately protect sfdxurl credentials","tracking":{"current_release_date":"2025-09-15T12:42:02+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#883754","initial_release_date":"2021-10-04 17:56:38.237122+00:00","revision_history":[{"date":"2025-09-15T12:42:02+00:00","number":"1.20250915124202.8","summary":"Released on 2025-09-15T12:42:02+00:00"}],"status":"final","version":"1.20250915124202.8"}},"vulnerabilities":[{"title":"The default configuration for Salesforce CLI Commands (force:org:display, and force:user:display) expose OAuth Access and Refresh tokens that can manipulated and passed in lieu of credentials to allow for authentication from anywhere.","notes":[{"category":"summary","text":"The default configuration for Salesforce CLI Commands (force:org:display, and force:user:display) expose OAuth Access and Refresh tokens that can manipulated and passed in lieu of credentials to allow for authentication from anywhere."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#883754"}],"product_status":{"known_not_affected":["CSAFPID-bcd33a6a-3412-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"salesforce.com","product":{"name":"salesforce.com Products","product_id":"CSAFPID-bcd33a6a-3412-11f1-8422-122e2785dc9f"}}]}}