Back to bug 2219737
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| TEJ RATHI | 2023-07-05 04:22:26 UTC | Blocks | 2219738 | |
| Red Hat Bugzilla | 2023-07-07 08:28:14 UTC | Assignee | security-response-team | nobody |
| Marco Benatto | 2023-07-07 20:08:09 UTC | CC | mbenatto | |
| Zack Miele | 2023-07-25 20:20:13 UTC | Doc Text | A Cross-Site-Request-Forgery is possible due to the Oauth2 state parameter being statically generated at startup time and used across all requests for all users. An attacker could use the value of the state parameter to create forged requests on behalf of other users or other sessions of the same user. | |
| Zack Miele | 2023-07-25 20:21:42 UTC | Alias | TRIAGE-CVE-2023-31999 | CVE-2023-31999 |
| Summary | TRIAGE-CVE-2023-31999 fastify-oauth2: CSRF due to reused Oauth2 state | CVE-2023-31999 fastify-oauth2: CSRF due to reused Oauth2 state | ||
| Paige Jung | 2023-07-25 20:38:29 UTC | Doc Text | A Cross-Site-Request-Forgery is possible due to the Oauth2 state parameter being statically generated at startup time and used across all requests for all users. An attacker could use the value of the state parameter to create forged requests on behalf of other users or other sessions of the same user. | A Cross-Site Request Forgery (CSRF) flaw was found in Oauth2. This issue exists due to the state parameter being statically generated at startup time and used across all requests for all users. An attacker could use the value of the state parameter to create forged requests on behalf of other users or other sessions of the same user. |
| Paige Jung | 2023-07-25 20:40:59 UTC | Flags | needinfo?(trathi) | |
| TEJ RATHI | 2023-07-26 04:55:21 UTC | Flags | needinfo?(trathi) | needinfo?(zmiele) |
| CC | zmiele | |||
| TEJ RATHI | 2023-07-26 04:55:52 UTC | Comment | 5 | updated |
| Zack Miele | 2023-07-26 19:29:06 UTC | Flags | needinfo?(zmiele) |
Back to bug 2219737