CVE-2021-37705: Improper Authorization and Origin Validation Error in OneFuzz
(updated )
Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance.
References
- github.com/advisories/GHSA-q5vh-6whw-x745
- github.com/microsoft/onefuzz
- github.com/microsoft/onefuzz/commit/2fcb4998887959b4fa11894a068d689189742cb1
- github.com/microsoft/onefuzz/pull/1153
- github.com/microsoft/onefuzz/releases/tag/2.31.0
- github.com/microsoft/onefuzz/security/advisories/GHSA-q5vh-6whw-x745
- github.com/pypa/advisory-database/tree/main/vulns/onefuzz/PYSEC-2021-344.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-37705
- pypi.org/project/onefuzz
Code Behaviors & Features
Detect and mitigate CVE-2021-37705 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →