CVE-2024-42476

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-42476
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42476.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-42476
Aliases
  • GHSA-pc9j-53g7-5x54
Published
2024-08-15T18:48:08.325Z
Modified
2026-04-10T05:16:50.475899Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
oauth CSRF vulnerability
Details

In the OAuth library for nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the state parameter to prevent cross-site request forgery (CSRF) attacks where a resource owner might have their session associated with protected resources belonging to an attacker. When this project is compiled with certain compiler flags set, it is possible that the state parameter will not be checked at all, creating a CSRF vulnerability. Version 0.11 checks the state parameter using a regular if statement or doAssert instead of relying on a plain assert. doAssert will achieve the desired behavior even if -d:danger or --assertions:off is set.

Database specific 
{
    "cwe_ids": [
        "CWE-352"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42476.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/cordea/oauth

Affected ranges

Type
GIT
Repo
https://github.com/cordea/oauth
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ec2e058fc46f04deaf3cb55eca32b3b83c614953
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.11"
        }
    ]
}

Affected versions

v0.*
v0.10
v0.3
v0.4
v0.4.1
v0.5
v0.6
v0.7
v0.8
v0.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42476.json"