oauth2
Corrigé dans
1.9.1
1.9rc1
CVE-2013-4346 affects the python-oauth2 library, specifically its Server.verify_request function. This vulnerability allows attackers to perform replay attacks by exploiting the absence of nonce verification within signed URLs. Systems using python-oauth2 versions less than or equal to 1.5.211 are vulnerable. A fix is available in version 1.9rc1.
The primary impact of CVE-2013-4346 is the potential for replay attacks. An attacker can capture a valid, signed URL and resubmit it at a later time, effectively tricking the application into processing the request again. This could lead to unauthorized actions, such as granting access to resources, modifying data, or performing transactions without the user's knowledge or consent. The blast radius depends on the application's reliance on OAuth2 and the sensitivity of the data protected by it. If the application handles financial transactions or sensitive user data, the impact could be significant. This vulnerability shares similarities with other OAuth2 implementation flaws where proper nonce handling is missing, potentially leading to similar exploitation patterns.
CVE-2013-4346 was published on May 20, 2014. There is no indication of this CVE being listed on KEV or having an EPSS score. Public proof-of-concept (POC) code is not widely available, suggesting limited active exploitation. However, the vulnerability's nature makes it a potential target for opportunistic attackers.
Statut de l'Exploit
EPSS
0.47% (percentile 65%)
Vecteur CVSS
The recommended mitigation for CVE-2013-4346 is to upgrade to version 1.9rc1 or later of the python-oauth2 library. If upgrading is not immediately feasible, consider implementing temporary workarounds. Strict URL validation should be enforced to ensure that only expected parameters are present and within acceptable ranges. Rate limiting can also help to mitigate the impact of replay attacks by limiting the number of requests from a single source within a given timeframe. Review OAuth2 configuration to ensure nonces are properly generated and verified. After upgrading, confirm the fix by attempting to replay a previously captured signed URL – it should be rejected.
Aucun correctif officiel disponible. Recherchez des alternatives ou surveillez les mises à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2013-4346 is a HIGH severity vulnerability in python-oauth2 versions ≤1.5.211. It allows attackers to replay signed URLs due to missing nonce verification, potentially leading to unauthorized actions.
You are affected if your application uses python-oauth2 version 1.5.211 or earlier. Check your installed version using pip show python-oauth2.
Upgrade to version 1.9rc1 or later of python-oauth2. As a temporary measure, implement strict URL validation and rate limiting.
There is no widespread evidence of active exploitation, but the vulnerability's nature makes it a potential target for opportunistic attacks.
While a dedicated advisory might not exist, refer to the python-oauth2 project's repository and related discussions for information: https://github.com/SimpleGeo/python-oauth2
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.