Описание
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under state{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.
A flaw was found in Authlib, a Python library used for building OAuth and OpenID Connect servers. The cache-backed state and request-token storage within Authlib is not securely linked to the user's initiating session. This vulnerability allows a remote attacker to exploit a Cross-Site Request Forgery (CSRF) by obtaining a valid state, which can lead to unauthorized actions being performed on behalf of the user.
Отчет
This vulnerability is rated Moderate for Red Hat products utilizing Authlib, such as Red Hat Ansible Automation Platform, Hosted OpenShift Clusters, Red Hat Quay, and Red Hat Satellite. The flaw arises from improper session management in Authlib's cache-backed state storage, allowing a remote attacker to perform Cross-Site Request Forgery (CSRF) by obtaining a valid state.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/lightspeed-chatbot-rhel8 | Affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/lightspeed-chatbot-rhel9 | Not affected | ||
| Red Hat Satellite 6 | satellite/foreman-mcp-server-rhel9 | Affected | ||
| Red Hat Quay 3.15 | quay/quay-rhel8 | Fixed | RHSA-2026:6568 | 03.04.2026 |
| Red Hat Quay 3.16 | quay/quay-rhel9 | Fixed | RHSA-2026:6497 | 02.04.2026 |
| Red Hat Quay 3.16 | quay/quay-rhel9 | Fixed | RHSA-2026:6567 | 03.04.2026 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.7 Medium
CVSS3
Связанные уязвимости
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.
Authlib is a Python library which builds OAuth and OpenID Connect serv ...
EPSS
5.7 Medium
CVSS3