Topic

OAuth

A collection of 9 issues

CVE-2022-36087 OAuthLib is a library for OAuth request signing. An attacker with malicious redirect uri can cause DoS.

CVE-2019-8678 An attacker can bypass authorization workflow and steal sensitive data by injecting malicious redirect URI into the flow. OAuthLib apps that use `uri_validate` directly or use OAuth2.0 provider support are vulnerable to this issue. The attacker can send valid redirect URI to the user and wait for

CVE-2022-31162 Slack OAuth client information can leak in application debug logs before 0.41.0.

If you encounter issues while debugging an application, search for any application logs that contain the word “OAuth” and review the information being printed. An updated debug formatting rule was introduced in v0.41.0 to reduce the possibility of leaking client information in debug logs. If you are not

CVE-2022-30622 The system discloses usernames and passwords, which means it's possible to enter the system. The system loads the request clearly by default.

The server code is very vulnerable, as it is described in the following example. In addition, the server has hard-coded authentication credentials (admin/admin). Path access: http://api/sys_admin_password_admin.cmd - The server loads the request clearly by default. Disclosure of hard-coded login credentials within the JS

CVE-2022-2133 OAuth plugin before 6.22.6 doesn't validate token requests, which allows attackers to log into site with user's email address.

This access token can then be used to request any type of resource on the website that the user has access to. This could be anything from adding new users to editing their profile information, changing their email address, and so on. The attacker cannot access any other data on

CVE-2022-31107 Grafana is an open-source platform for monitoring and observability

as that user. This allows the malicious user to gain access to all of the Grafana data for the target user's account and see that user's dashboards and data, even if that data is marked as private. This issue does not affect access to the Grafana web user interface and

CVE-2022-31034 Argo CD v0.11.0 is vulnerable to SSO login attacks when initiated from the Argo CD CLI or UI.

A vulnerable Argo CD installation can be uncovered by an attacker by monitoring the rate of successful OAuth2/OIDC login attempts. What is important to note here is that an attacker has to be on the same network as the victim to carry out this type of attack. An attacker

CVE-2022-30034 Flower, a web UI for the Celery Python RPC framework, is vulnerable to an OAuth authentication bypass.

OAuth is a widely used authentication protocol. It provides a secure way for users to grant permission for their data to be accessed by authorized third parties, such as web apps. It reduces the risk of unauthorized access by allowing users to control who has access to their data. Access

CVE-2022-0829 Improper Authorization in GitHub repository webmin/webmin prior to 1.990.

We have fixed the issue with this authorization type and we also added the support for other authorization types. We hope that from now on you will be able to create new repositories and issue trackers with the help of your employees. The next release of webmin will also support

CVE-2022-21673 Grafana is an open-source platform for monitoring and observability

API token attackers can leverage this issue to obtain data for which they may not have intended to have access. Attackers can exploit this issue to configure API token data sources to forward the OAuth token of the most recently logged-in user, allowing API token attackers to retrieve data for