FreshPorts - VuXML
This page displays vulnerability information about FreeBSD Ports.
The last vuln.xml file processed by FreshPorts is:
nothing found there
List all Vulnerabilities, by package
List all Vulnerabilities, by date
These are the vulnerabilities relating to the commit you have selected:
|ada8db8a-8471-11e9-8170-0050562a4d7b||buildbot -- OAuth Authentication Vulnerability|
Buildbot accepted user-submitted authorization token from OAuth and used
it to authenticate user.
The vulnerability can lead to malicious attackers to authenticate as legitimate users
of a Buildbot instance without knowledge of the victim's login credentials on certain
If an attacker has an application authorized to access data of another user at the
same Identity Provider as the used by the Buildbot instance, then he can acquire a token
to access the data of that user, supply the token to the Buildbot instance and successfully
login as the victim.
|5536ea5f-6814-11e9-a8f7-0050562a4d7b||buildbot -- CRLF injection in Buildbot login and logout redirect code|
A CRLF can be injected in Location header of /auth/login and /auth/logout
This is due to lack of input validation in the buildbot redirection code.
It was not found a way to impact Buildbot product own security through
this vulnerability, but it could be used to compromise other sites
hosted on the same domain as Buildbot.
- cookie injection a master domain (ie if your buildbot is on
buildbot.buildbot.net, one can inject a cookie on *.buildbot.net,
which could impact another website hosted in your domain)
- HTTP response splitting and cache poisoning (browser or proxy) are
also typical impact of this vulnerability class, but might be impractical