CVE-2021-36758: 
NixOS vulnerability analysis and mitigation

1Password Connect server before 1.2 is missing validation checks in its token creation functionality. The vulnerability, identified as CVE-2021-36758, was discovered internally in May 2021 and affects all versions of the 1Password Connect server 1.1.1 and earlier. The issue allows users with permission to create Secrets Automation access tokens to bypass authorization restrictions (1Password Support).

The vulnerability stems from improper validation of input when consuming Secrets Automation tokens. When creating tokens, the Connect server fails to properly validate authorization restrictions, allowing users to create tokens with elevated access permissions. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows users with token creation permissions to bypass intended access restrictions. For example, if a user has permission to create tokens for accessing only one vault, they could create tokens that access all vaults configured in the Secrets Automation environment. However, the access is limited to vaults already configured for the Secrets Automation instance (1Password Support).

1Password released version 1.2 of the Connect server to address the vulnerability. Organizations should upgrade their Connect server deployments to version 1.2 or later. Additionally, all affected tokens were marked as 'unverified' and would stop working after August 2, 2021. Users need to verify existing tokens after confirming their intended access levels. The 1Password command-line tool should be upgraded to version 1.10.3 or later (1Password Support).