Description: "Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user. The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios. If an attacker has an application authorized to access data of another user at the same Identity Provider as the used by the Buildbot instance, then he can acquire a token to access the data of that user, supply the token to the Buildbot instance and successfully login as the victim." Affected versions: - 0.9.5 to 1.8.1 - 2.0.0 to 2.3.0 (inclusive)
I suppose we'll be last riting this, given zero maintenance effort and growing number of bugs.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd9d2971828929749e4695c0baf8900a6a3e3b43 commit cd9d2971828929749e4695c0baf8900a6a3e3b43 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-03-29 07:39:29 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-03-29 07:39:38 +0000 package.mask: Last rite dev-util/buildbot* & revdeps Bug: https://bugs.gentoo.org/711702 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
CVE-2019-7313 (https://nvd.nist.gov/vuln/detail/CVE-2019-7313): www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain.
Old vulnerable versions have been cleaned from the tree now.
(In reply to Brian Dolbec from comment #4) > Old vulnerable versions have been cleaned from the tree now. Thanks! All done :)