search

vital-ws / vulnerable

0 stars 2 forks source link

oauthlib-3.2.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 6.5) - autoclosed #166

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - oauthlib-3.2.0-py3-none-any.whl

A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

Library home page: https://files.pythonhosted.org/packages/1d/46/5ee2475e1b46a26ca0fa10d3c1d479577fde6ee289f8c6aa6d7ec33e31fd/oauthlib-3.2.0-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/empty/requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/empty/requirements.txt

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (oauthlib version) Remediation Available
CVE-2022-36087 Medium 6.5 oauthlib-3.2.0-py3-none-any.whl Direct oauthlib - 3.2.2

Details

CVE-2022-36087 ### Vulnerable Library - oauthlib-3.2.0-py3-none-any.whl

A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

Library home page: https://files.pythonhosted.org/packages/1d/46/5ee2475e1b46a26ca0fa10d3c1d479577fde6ee289f8c6aa6d7ec33e31fd/oauthlib-3.2.0-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/empty/requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/empty/requirements.txt

Dependency Hierarchy: - :x: **oauthlib-3.2.0-py3-none-any.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds. Mend Note: After conducting further research, Mend has determined that versions 3.1.1 through 3.2.1 of oauthlib are vulnerable to CVE-2022-36087.

Publish Date: 2022-09-09

URL: CVE-2022-36087

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7

Release Date: 2022-09-09

Fix Resolution: oauthlib - 3.2.2

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.