PT-2022-12618 · Unknown · Scratchoauth2

Apple502J

Published

2022-02-15

Updated

2022-07-12

CVE-2021-46249

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions ScratchOAuth2 versions before commit d856dc704b2504cd3b92cf089fdd366dd40775d6

Description An authorization bypass issue exists due to a user-controlled key in the SpecificApps REST API. This allows app owners to set flags indicating whether an app is verified on their own apps. The issue is related to the SpecificApps REST API endpoint and a user-controlled key.

Recommendations For ScratchOAuth2 versions before commit d856dc704b2504cd3b92cf089fdd366dd40775d6, update to a version that includes the commit d856dc704b2504cd3b92cf089fdd366dd40775d6 to resolve the issue. As a temporary workaround, consider restricting access to the SpecificApps REST API to minimize the risk of exploitation.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2021-46249

Affected Products

Scratchoauth2

PT-2022-12618 · Unknown · Scratchoauth2

CVE-2021-46249

Weakness Enumeration

Related Identifiers

Affected Products

References · 5