GMS-2022-6726: Redwood is vulnerable to account takeover via dbAuth "forgot-password"

November 10, 2022

This is an API vulnerability in Redwood’s [dbAuth], specifically the dbAuth forgot password feature: - only projects with the dbAuth “forgot password” feature are affected - this vulnerability was introduced in v0.38.0

References

github.com/advisories/GHSA-3qmc-2r76-4rqp
github.com/redwoodjs/redwood/issues/6343
github.com/redwoodjs/redwood/pull/6778
github.com/redwoodjs/redwood/releases/tag/v2.2.5
github.com/redwoodjs/redwood/releases/tag/v3.3.1
github.com/redwoodjs/redwood/security/advisories/GHSA-3qmc-2r76-4rqp

Code Behaviors & Features

Detect and mitigate GMS-2022-6726 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →