PYSEC-2019-76
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/buildbot/PYSEC-2019-76.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2019-76
- Withdrawn
- 2023-03-14T07:01:09.384298Z
- Published
- 2019-05-23T15:30:00Z
- Modified
- 2023-03-14T07:01:09.384298Z
- Summary
- [none]
- Details
-
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.
- References
-
- https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLOM2K4M4723BCLHZJEX52KJXZSEVRL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GXKO7OYLKBTXXXKF4VPHWT7GVYWFVYA/
Affected packages
PyPI / buildbot
Package
- Name
- buildbot
- View open source insights on deps.dev
- Purl
- pkg:pypi/buildbot
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.8.2Introduced2.0.1Fixed2.3.1
Affected versions
0.*
0.7.10p1
0.7.11p1
0.7.11p2
0.7.11p3
0.8.1p1
0.8.3p1
0.8.4p1
0.8.4p2
0.8.6p1
0.8.7p1
0.7.3
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
0.7.12
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.12
0.8.13
0.8.14
0.9.0b1
0.9.0b2
0.9.0b3
0.9.0b4
0.9.0b5
0.9.0b6
0.9.0b7
0.9.0b8
0.9.0b9
0.9.0rc1
0.9.0rc2
0.9.0rc3
0.9.0rc4
0.9.0
0.9.0.post1
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.9.post1
0.9.9.post2
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.15.post1
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.8.1
2.*
2.0.1
2.1.0
2.2.0
2.3.0