CVE-2021-29437

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-29437
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29437.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-29437
Related
  • GHSA-gvpg-23fh-8g75
Published
2021-04-13T20:15:22Z
Modified
2025-01-14T22:02:15Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd party site asks user for Scratch username. 3. 3rd party site pretends to be user and gets login code from ScratchOAuth2. 4. 3rd party site gives code to user and instructs them to post it on their profile. 5. User posts code on their profile, not knowing it is a ScratchOAuth2 login code. 6. 3rd party site completes login with ScratchOAuth2. 7. 3rd party site has full access to anything the user could do if they directly logged in. See referenced GitHub security advisory for patch notes and workarounds.

References

Affected packages

Git / github.com/scratchverifier/scratchoauth2

Affected ranges

Type
GIT
Repo
https://github.com/scratchverifier/scratchoauth2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed