GHSA-hhw9-35p2-q2c5

Suggest an improvement
Source
https://github.com/advisories/GHSA-hhw9-35p2-q2c5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-hhw9-35p2-q2c5/GHSA-hhw9-35p2-q2c5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hhw9-35p2-q2c5
Published
2021-01-29T20:51:30Z
Modified
2024-12-02T05:44:34.357512Z
Summary
Steam Socialite Provider v1 does not correctly validate openid server
Details

Impact

The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from steamcommunity.com, allowing a malicious actor to substitute their own openID server.

Patches

This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login.

For more information

If you have any questions or comments about this advisory: * Open an issue in SocialiteProviders/Providers * Email us at socialite@atymic.dev

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-346"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-01-29T20:39:56Z"
}
References

Affected packages

Packagist / socialiteproviders/steam

Package

Name
socialiteproviders/steam
Purl
pkg:composer/socialiteproviders/steam

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0

Affected versions

v1.*

v1.0.0
v1.0.1
v1.1

Database specific

{
    "last_known_affected_version_range": "< 1.1"
}