CVE-2022-29773: Access control issue in AlekSIS-Core

June 4, 2022 (updated June 6, 2022)

An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.

References

edugit.org/AlekSIS/official/AlekSIS-Core/-/commit/0d39d5f566e1d916e3c8dedd3f5bd62161f30bd8
edugit.org/AlekSIS/official/AlekSIS-Core/-/issues/688
edugit.org/AlekSIS/official/AlekSIS-Core/-/merge_requests/1011
github.com/advisories/GHSA-76x2-h8h3-cwjg
nvd.nist.gov/vuln/detail/CVE-2022-29773

Code Behaviors & Features

Detect and mitigate CVE-2022-29773 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →