{"id":"PYSEC-2019-76","details":"Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.","modified":"2023-03-14T07:01:09.384298Z","published":"2019-05-23T15:30:00Z","withdrawn":"2023-03-14T07:01:09.384298Z","references":[{"type":"WEB","url":"https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLOM2K4M4723BCLHZJEX52KJXZSEVRL/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GXKO7OYLKBTXXXKF4VPHWT7GVYWFVYA/"}],"affected":[{"package":{"name":"buildbot","ecosystem":"PyPI","purl":"pkg:pypi/buildbot"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.2"},{"introduced":"2.0.1"},{"fixed":"2.3.1"}]}],"versions":["0.7.10p1","0.7.11p1","0.7.11p2","0.7.11p3","0.8.1p1","0.8.3p1","0.8.4p1","0.8.4p2","0.8.6p1","0.8.7p1","0.7.3","0.7.5","0.7.6","0.7.7","0.7.8","0.7.9","0.7.10","0.7.11","0.7.12","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9","0.8.10","0.8.12","0.8.13","0.8.14","0.9.0b1","0.9.0b2","0.9.0b3","0.9.0b4","0.9.0b5","0.9.0b6","0.9.0b7","0.9.0b8","0.9.0b9","0.9.0rc1","0.9.0rc2","0.9.0rc3","0.9.0rc4","0.9.0","0.9.0.post1","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","0.9.9.post1","0.9.9.post2","0.9.10","0.9.11","0.9.12","0.9.13","0.9.14","0.9.15","0.9.15.post1","1.0.0","1.1.0","1.1.1","1.1.2","1.2.0","1.3.0","1.4.0","1.5.0","1.6.0","1.7.0","1.8.0","1.8.1","2.0.1","2.1.0","2.2.0","2.3.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/buildbot/PYSEC-2019-76.yaml"}}],"schema_version":"1.7.3"}