Headline
CVE-2022-29773: ClientProtectedResourceMixin allows access if no allowed_scopes are set (#688) · Issues · AlekSIS / Official / AlekSIS-Core
An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.
ClientProtectedResourceMixin allows access if no allowed_scopes are set
Using client credentials as authentication method for API views, we introduced a field for OAuth2 applications that needs to be filled with the scopes these client credentials should have access to. If there are no allowed scopes, the access shouldn’t be granted as nothing is allowed. With the current code base, access is also allowed if there no allowed scopes.
Edited Apr 23, 2022 by Jonathan Weth
Related news
An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.