Description

In the OAuth library for nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the `state` parameter to prevent cross-site request forgery (CSRF) attacks where a resource owner might have their session associated with protected resources belonging to an attacker. When this project is compiled with certain compiler flags set, it is possible that the `state` parameter will not be checked at all, creating a CSRF vulnerability. Version 0.11 checks the `state` parameter using a regular `if` statement or `doAssert` instead of relying on a plain `assert`. `doAssert` will achieve the desired behavior even if `-d:danger` or `--assertions:off` is set.

INFO

Published Date :

2024-08-15T18:48:08.325Z

Last Modified :

2024-08-20T15:39:54.912Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-42476 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-42476.

URL Resource
https://github.com/CORDEA/oauth/blob/b8c163b0d9cfad6d29ce8c1fb394e5f47182ee1c/src/oauth2.nim#L235 cve-icon cve-icon
https://github.com/CORDEA/oauth/blob/b8c163b0d9cfad6d29ce8c1fb394e5f47182ee1c/src/oauth2.nim#L255 cve-icon cve-icon
https://github.com/CORDEA/oauth/security/advisories/GHSA-pc9j-53g7-5x54 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact