Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-42476

Date: August 15, 2024

In the OAuth library for nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the "state" parameter to prevent cross-site request forgery (CSRF) attacks where a resource owner might have their session associated with protected resources belonging to an attacker. When this project is compiled with certain compiler flags set, it is possible that the "state" parameter will not be checked at all, creating a CSRF vulnerability. Version 0.11 checks the "state" parameter using a regular "if" statement or "doAssert" instead of relying on a plain "assert". "doAssert" will achieve the desired behavior even if "-d:danger" or "--assertions:off" is set.

Language: NIM

Severity Score

Related Resources (5)

https://github.com/CORDEA/oauth/security/advisories/GHSA-pc9j-53g7-5x54
https://github.com/CORDEA/oauth/blob/b8c163b0d9cfad6d29ce8c1fb394e5f47182ee1c/src/oauth2.nim#L235
https://github.com/CORDEA/oauth/blob/b8c163b0d9cfad6d29ce8c1fb394e5f47182ee1c/src/oauth2.nim#L255
https://nvd.nist.gov/vuln/detail/CVE-2024-42476
https://www.mend.io/vulnerability-database/CVE-2024-42476

Severity Score

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us