Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718810 (CVE-2019-13611) - <dev-python/python-engineio-3.12.1: Cross-site websocket hijacking (CVE-2019-13611)
Summary: <dev-python/python-engineio-3.12.1: Cross-site websocket hijacking (CVE-2019-...
Status: RESOLVED FIXED
Alias: CVE-2019-13611
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-22 00:54 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-08 04:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 00:54:09 UTC
CVE-2019-13611 (https://nvd.nist.gov/vuln/detail/CVE-2019-13611):
  An issue was discovered in python-engineio through 3.8.2. There is a
  Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers
  to make WebSocket connections to a server by using a victim's credentials,
  because the Origin header is not restricted.
Comment 1 Larry the Git Cow gentoo-dev 2020-04-22 01:20:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1a36eef3377052cb6c30ef16dfd4465425e292b

commit f1a36eef3377052cb6c30ef16dfd4465425e292b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-04-22 01:18:47 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-04-22 01:19:27 +0000

    dev-python/python-engineio: drop vulnerable version 2.2.0
    
    Bug: https://bugs.gentoo.org/718810
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 dev-python/python-engineio/Manifest                |  1 -
 .../python-engineio/python-engineio-2.2.0.ebuild   | 27 ----------------------
 2 files changed, 28 deletions(-)
Comment 2 Sam James archtester gentoo-dev Security 2020-06-08 04:08:41 UTC
Thanks!