oauth2
Corrigido em
1.9.1
1.9rc1
CVE-2013-4346 affects the python-oauth2 library, specifically its Server.verify_request function. This vulnerability allows attackers to perform replay attacks by exploiting the absence of nonce verification within signed URLs. Systems using python-oauth2 versions less than or equal to 1.5.211 are vulnerable. A fix is available in version 1.9rc1.
The primary impact of CVE-2013-4346 is the potential for replay attacks. An attacker can capture a valid, signed URL and resubmit it at a later time, effectively tricking the application into processing the request again. This could lead to unauthorized actions, such as granting access to resources, modifying data, or performing transactions without the user's knowledge or consent. The blast radius depends on the application's reliance on OAuth2 and the sensitivity of the data protected by it. If the application handles financial transactions or sensitive user data, the impact could be significant. This vulnerability shares similarities with other OAuth2 implementation flaws where proper nonce handling is missing, potentially leading to similar exploitation patterns.
CVE-2013-4346 was published on May 20, 2014. There is no indication of this CVE being listed on KEV or having an EPSS score. Public proof-of-concept (POC) code is not widely available, suggesting limited active exploitation. However, the vulnerability's nature makes it a potential target for opportunistic attackers.
Status do Exploit
EPSS
0.47% (percentil 65%)
Vetor CVSS
The recommended mitigation for CVE-2013-4346 is to upgrade to version 1.9rc1 or later of the python-oauth2 library. If upgrading is not immediately feasible, consider implementing temporary workarounds. Strict URL validation should be enforced to ensure that only expected parameters are present and within acceptable ranges. Rate limiting can also help to mitigate the impact of replay attacks by limiting the number of requests from a single source within a given timeframe. Review OAuth2 configuration to ensure nonces are properly generated and verified. After upgrading, confirm the fix by attempting to replay a previously captured signed URL – it should be rejected.
Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2013-4346 is a HIGH severity vulnerability in python-oauth2 versions ≤1.5.211. It allows attackers to replay signed URLs due to missing nonce verification, potentially leading to unauthorized actions.
You are affected if your application uses python-oauth2 version 1.5.211 or earlier. Check your installed version using pip show python-oauth2.
Upgrade to version 1.9rc1 or later of python-oauth2. As a temporary measure, implement strict URL validation and rate limiting.
There is no widespread evidence of active exploitation, but the vulnerability's nature makes it a potential target for opportunistic attacks.
While a dedicated advisory might not exist, refer to the python-oauth2 project's repository and related discussions for information: https://github.com/SimpleGeo/python-oauth2
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.