PyPi: Oauth2

CVE-2013-4346

Safety vulnerability ID: 35462

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 20, 2014 Updated at Mar 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Oauth2 is vulnerable to CVE-2013-4346: It was found that python-oauth2 did not properly verify the nonce of a signed URL. An attacker able to capture network traffic of a website using OAuth2 authentication could use this flaw to conduct replay attacks against that website.
https://github.com/joestump/python-oauth2/issues/129

Affected package

oauth2

Latest version: 1.9.0.post1

library for OAuth version 1.9

Affected versions

Fixed versions

Vulnerability changelog

The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.

MLIST:[oss-security] 20130912 Re: cve requests for python-oauth2: http://www.openwall.com/lists/oss-security/2013/09/12/7
MISC:https://github.com/simplegeo/python-oauth2/issues/129: https://github.com/simplegeo/python-oauth2/issues/129
BID:62386: http://www.securityfocus.com/bid/62386

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 4.3

CVSS v2 Details

MEDIUM 4.3

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): NONE