Configuration of Salesforce Developer Experience Command Line Interface

At Salesforce, Trust is our #1 value, and we take the protection of our customers’ data very seriously. On October 4, 2021, the CERT Coordination Center published a note (VU#883754) regarding the default configuration in the Salesforce Developer Experience (DX) Command Line Interface (CLI). After investigation, we’ve confirmed that this is not the result of a vulnerability inherent to the Salesforce platform, but can occur when the CLI tool is used to intentionally expose access tokens and the exported information is not properly controlled. Proper access controls should be utilized to block the use of session tokens from unintended systems. This potential issue only applies to customers who have installed the Salesforce DX CLI.

Background
The default configuration in Salesforce Core allows an authenticated user with a Salesforce DX CLI (available with the Winter ‘18 release) to create a URL that would enable any user to access Salesforce services with the same rights, without a log trace of access. A malicious user with access to the URL could perform administrative actions on behalf of the account owner who generated the token.

Customer Action
The Salesforce DX CLI is working as designed and access controls are available for customers to deploy via the session security settings to prevent potential misuse. The default configuration permits this capability as it is commonly used by developers and various applications.

We recommend reviewing the Help documentation, Manage Session Policies for a Connected App, for further details, as well as the following available resources: 

• Salesforce DX Developer Guide
• Salesforce Security Guide
• How Salesforce Developer Experience Changes the Way You Work
• Use of frontdoor.jsp to Log in to Salesforce and Experience Cloud Site
• Authorize an Org Using the Web Server Flow
• Create a Connected App for Your Dev Hub Org
• Step One: Set Up Authorization
• OAuth 2.0 Refresh Token Flow for Renewed Sessions
• Revoke OAuth Tokens

At any time, customers can open a case via Salesforce Help if they require assistance with reviewing or configuring their access control permissions.

Salesforce Action
Salesforce has released banner messages within the Salesforce DX CLI interface 7.120.0 to ensure customers are aware of the issue and encourage review of the Salesforce DX Developer Guide. We will update this article with any further enhancements.

We appreciate your trust in us as we continue to make your success our top priority.