Описание
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.
Ссылки
- MitigationPatchThird Party Advisory
- MitigationPatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.8.2 (исключая)Версия от 2.0.0 (включая) до 2.3.1 (исключая)
Одно из
cpe:2.3:a:buildbot:buildbot:*:*:*:*:*:*:*:*
cpe:2.3:a:buildbot:buildbot:*:*:*:*:*:*:*:*
EPSS
Процентиль: 65%
0.00499
Низкий
9.8 Critical
CVSS3
5 Medium
CVSS2
Дефекты
CWE-287
Связанные уязвимости
CVSS3: 9.8
ubuntu
больше 6 лет назад
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.
CVSS3: 9.8
debian
больше 6 лет назад
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted au ...
EPSS
Процентиль: 65%
0.00499
Низкий
9.8 Critical
CVSS3
5 Medium
CVSS2
Дефекты
CWE-287