GHSA-cqff-fx2x-p86v: botframework-connector vulnerable to Improper Authentication
(updated )
A maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot.
References
- github.com/advisories/GHSA-cqff-fx2x-p86v
- github.com/microsoft/botbuilder-python/blob/main/doc/SkillClaimsValidation.md
- github.com/microsoft/botbuilder-python/security/advisories/GHSA-cqff-fx2x-p86v
- github.com/pypa/advisory-database/tree/main/vulns/botframework-connector/PYSEC-2021-422.yaml
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725
- pypi.org/project/botframework-connector
Code Behaviors & Features
Detect and mitigate GHSA-cqff-fx2x-p86v with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →