FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-01-14 21:31:10 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
ada8db8a-8471-11e9-8170-0050562a4d7b	buildbot -- OAuth Authentication Vulnerability Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user. The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios. If an attacker has an application authorized to access data of another user at the same Identity Provider as the used by the Buildbot instance, then he can acquire a token to access the data of that user, supply the token to the Buildbot instance and successfully login as the victim. Discovery 2019-05-07 Entry 2019-06-01 py27-buildbot py35-buildbot py36-buildbot py37-buildbot < 2.3.1 https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication https://github.com/buildbot/buildbot/pull/4763 CVE-2019-12300
5536ea5f-6814-11e9-a8f7-0050562a4d7b	buildbot -- CRLF injection in Buildbot login and logout redirect code A CRLF can be injected in Location header of /auth/login and /auth/logout This is due to lack of input validation in the buildbot redirection code. It was not found a way to impact Buildbot product own security through this vulnerability, but it could be used to compromise other sites hosted on the same domain as Buildbot. - cookie injection a master domain (ie if your buildbot is on buildbot.buildbot.net, one can inject a cookie on *.buildbot.net, which could impact another website hosted in your domain) - HTTP response splitting and cache poisoning (browser or proxy) are also typical impact of this vulnerability class, but might be impractical to exploit. Discovery 2019-01-29 Entry 2019-04-26 py27-buildbot py35-buildbot py36-buildbot py37-buildbot < 1.8.0 https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7313 CVE-2019-7313

VuXML ID

Description

ada8db8a-8471-11e9-8170-0050562a4d7b

buildbot -- OAuth Authentication Vulnerability

Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user.

The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios.

If an attacker has an application authorized to access data of another user at the same Identity Provider as the used by the Buildbot instance, then he can acquire a token to access the data of that user, supply the token to the Buildbot instance and successfully login as the victim.

Discovery 2019-05-07
Entry 2019-06-01
py27-buildbot
py35-buildbot
py36-buildbot
py37-buildbot

< 2.3.1

https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication
https://github.com/buildbot/buildbot/pull/4763
CVE-2019-12300

5536ea5f-6814-11e9-a8f7-0050562a4d7b

buildbot -- CRLF injection in Buildbot login and logout redirect code

A CRLF can be injected in Location header of /auth/login and /auth/logout This is due to lack of input validation in the buildbot redirection code.

It was not found a way to impact Buildbot product own security through this vulnerability, but it could be used to compromise other sites hosted on the same domain as Buildbot. - cookie injection a master domain (ie if your buildbot is on buildbot.buildbot.net, one can inject a cookie on *.buildbot.net, which could impact another website hosted in your domain) - HTTP response splitting and cache poisoning (browser or proxy) are also typical impact of this vulnerability class, but might be impractical to exploit.

Discovery 2019-01-29
Entry 2019-04-26
py27-buildbot
py35-buildbot
py36-buildbot
py37-buildbot

< 1.8.0

https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7313
CVE-2019-7313