GHSA-g86p-hgx5-2pfh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g86p-hgx5-2pfh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-g86p-hgx5-2pfh
- Aliases
- Published
- 2019-05-29T18:48:11Z
- Modified
- 2025-02-15T05:30:57.608881Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Improper Authentication in Buildbot
- Details
-
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2019-05-29T18:47:56Z", "nvd_published_at": "2019-05-23T15:30:00Z", "cwe_ids": [ "CWE-287" ], "severity": "CRITICAL" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-12300
- https://github.com/advisories/GHSA-g86p-hgx5-2pfh
- https://github.com/buildbot/buildbot
- https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication
- https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2019-6.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLOM2K4M4723BCLHZJEX52KJXZSEVRL
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GXKO7OYLKBTXXXKF4VPHWT7GVYWFVYA
Affected packages
PyPI / buildbot
Package
- Name
- buildbot
- View open source insights on deps.dev
- Purl
- pkg:pypi/buildbot
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.8.2
Affected versions
0.*
0.7.10p1
0.7.11p1
0.7.11p2
0.7.11p3
0.8.1p1
0.8.3p1
0.8.4p1
0.8.4p2
0.8.6p1
0.8.7p1
0.7.3
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
0.7.12
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.12
0.8.13
0.8.14
0.9.0b1
0.9.0b2
0.9.0b3
0.9.0b4
0.9.0b5
0.9.0b6
0.9.0b7
0.9.0b8
0.9.0b9
0.9.0rc1
0.9.0rc2
0.9.0rc3
0.9.0rc4
0.9.0
0.9.0.post1
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.9.post1
0.9.9.post2
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.15.post1
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.8.1
PyPI / buildbot
Package
- Name
- buildbot
- View open source insights on deps.dev
- Purl
- pkg:pypi/buildbot