Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29773: ClientProtectedResourceMixin allows access if no allowed_scopes are set (#688) · Issues · AlekSIS / Official / AlekSIS-Core

An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.

CVE
#oauth#auth

ClientProtectedResourceMixin allows access if no allowed_scopes are set

Using client credentials as authentication method for API views, we introduced a field for OAuth2 applications that needs to be filled with the scopes these client credentials should have access to. If there are no allowed scopes, the access shouldn’t be granted as nothing is allowed. With the current code base, access is also allowed if there no allowed scopes.

Edited Apr 23, 2022 by Jonathan Weth

Related news

GHSA-76x2-h8h3-cwjg: Access control issue in AlekSIS-Core

An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907