Skip to content

Implementation trusts the "me" field returned by the authorization server without verifying it

Critical severity GitHub Reviewed Published Nov 19, 2020 in simonw/datasette-indieauth • Updated Sep 7, 2023

Package

pip datasette-indieauth (pip)

Affected versions

= 1.0

Patched versions

1.1

Description

Impact

A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user.

Patches

Version 1.1 fixes this issue.

Workarounds

There is no workaround. Upgrade to 1.1 immediately.

References

For more information

If you have any questions or comments about this advisory:

References

@simonw simonw published to simonw/datasette-indieauth Nov 19, 2020
Reviewed Nov 24, 2020
Published to the GitHub Advisory Database Nov 24, 2020
Last updated Sep 7, 2023

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-mjcr-rqjg-rhg3

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.