Homepage
About Snyk

buildbot@0.9.12 vulnerabilities

The Continuous Integration Framework

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the buildbot package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Credentials Disclosure

buildbot is a continuous integration framework for automating software build, test, and release processes.

Affected versions of this package are vulnerable to Credentials Disclosure. Buildbot accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can authenticate as the victim.

How to fix Credentials Disclosure?

Upgrade buildbot to version 1.8.2, 2.3.1 or higher.

[0.9.5,1.8.2) [2.0.0,2.3.1)
  • H
CRLF injection

buildbot is a continuous integration framework for automating software build, test, and release processes.

Affected versions of this package are vulnerable to CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain.

How to fix CRLF injection?

Upgrade buildbot to version 1.8.1 or higher.

[,1.8.1)
  • H
Timing Attack

buildbot is an open-source continuous integration framework for automating software build, test, and release processes.

Affected versions of this package are vulnerable to Timing Attack. It implemented a character to character comparison !=, and not a time constant string comparison. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the encryption key one character at a time.

How to fix Timing Attack?

Upgrade buildbot to version 1.3.0 or higher.

[,1.3.0)
Go back to all versions of this package