FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ada8db8a-8471-11e9-8170-0050562a4d7bbuildbot -- OAuth Authentication Vulnerability

Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user.

The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios.

If an attacker has an application authorized to access data of another user at the same Identity Provider as the used by the Buildbot instance, then he can acquire a token to access the data of that user, supply the token to the Buildbot instance and successfully login as the victim.


Discovery 2019-05-07
Entry 2019-06-01
py27-buildbot
py35-buildbot
py36-buildbot
py37-buildbot
< 2.3.1

https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication
https://github.com/buildbot/buildbot/pull/4763
CVE-2019-12300
5536ea5f-6814-11e9-a8f7-0050562a4d7bbuildbot -- CRLF injection in Buildbot login and logout redirect code

A CRLF can be injected in Location header of /auth/login and /auth/logout This is due to lack of input validation in the buildbot redirection code.

It was not found a way to impact Buildbot product own security through this vulnerability, but it could be used to compromise other sites hosted on the same domain as Buildbot. - cookie injection a master domain (ie if your buildbot is on buildbot.buildbot.net, one can inject a cookie on *.buildbot.net, which could impact another website hosted in your domain) - HTTP response splitting and cache poisoning (browser or proxy) are also typical impact of this vulnerability class, but might be impractical to exploit.


Discovery 2019-01-29
Entry 2019-04-26
py27-buildbot
py35-buildbot
py36-buildbot
py37-buildbot
< 1.8.0

https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7313
CVE-2019-7313