Authorization Bypass Affecting aiohttp_auth_autz package, versions [,0.2.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Authorization Bypass vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-AIOHTTPAUTHAUTZ-2859882
  • published7 Jun 2022
  • disclosed7 Jun 2022
  • creditUnknown

Introduced: 7 Jun 2022

CVE NOT AVAILABLE CWE-285  (opens in a new tab)

How to fix?

Upgrade aiohttp_auth_autz to version 0.2.0 or higher.

Overview

aiohttp_auth_autz is an Authorization and authentication middleware plugin for aiohttp.

Affected versions of this package are vulnerable to Authorization Bypass when an authenticated user has a user_id that is the same as the name of an acl group, giving them the same permissions as the the group.

References

CVSS Base Scores

version 3.1