CVE-2019-12300

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-12300

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12300.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-12300

Aliases

Downstream

DEBIAN-CVE-2019-12300

UBUNTU-CVE-2019-12300

Published

2019-05-23T15:30:12.623Z

Modified

2026-04-10T04:17:48.526414Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.

References

Affected packages

Git / github.com/buildbot/buildbot

Affected ranges

Type

GIT

Repo

https://github.com/buildbot/buildbot

Events

Introduced

Fixed

e2db8794b1353f3a81d225697601bb09909b99b1

Introduced

4d84bbd5b6292a619c7f80b263b8108b3690a776

Fixed

602fcbc1a9bcb33857de58aedd5e1ae6c7ddd0af

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.8.2"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.3.1"
        }
    ]
}

Affected versions

v0.*

v0.7.1

v0.7.10

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.8.10-pre

v0.8.3

v0.8.3-pre

v0.8.4

v0.8.4-pre

v0.8.5

v0.8.5-pre

v0.8.5rc1

v0.8.6-pre

v0.8.7-pre2

v0.8.8-pre

v0.8.9-pre

v0.9.0b2

v0.9.0b3

v0.9.0b4

v0.9.0b8

v0.9.1

v0.9.10

v0.9.11

v0.9.12

v0.9.12.post1

v0.9.13

v0.9.14

v0.9.15

v0.9.15.post1

v0.9.3

v0.9.4

v0.9.5

v0.9.6

v0.9.7

v0.9.9

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12300.json"