Commit 8e10a866 authored by koobs's avatar koobs
Browse files

security/vuxml: Add buildbot CRLF injection vulnerability

parent 461f20bb
......@@ -58,6 +58,49 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="5536ea5f-6814-11e9-a8f7-0050562a4d7b">
<topic>buildbot -- CRLF injection in Buildbot login and logout redirect code</topic>
<affects>
<package>
<name>py27-buildbot</name>
<name>py35-buildbot</name>
<name>py36-buildbot</name>
<name>py37-buildbot</name>
<range><lt>1.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code">
<p>A CRLF can be injected in Location header of /auth/login and /auth/logout
This is due to lack of input validation in the buildbot redirection code.
</p>
<p>It was not found a way to impact Buildbot product own security through
this vulnerability, but it could be used to compromise other sites
hosted on the same domain as Buildbot.
- cookie injection a master domain (ie if your buildbot is on
buildbot.buildbot.net, one can inject a cookie on *.buildbot.net,
which could impact another website hosted in your domain)
- HTTP response splitting and cache poisoning (browser or proxy) are
also typical impact of this vulnerability class, but might be impractical
to exploit.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code</url>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7313</url>
<cvename>CVE-2019-7313</cvename>
</references>
<dates>
<discovery>2019-01-29</discovery>
<entry>2019-04-26</entry>
</dates>
</vuln>
<vuln vid="2bad8b5d-66fb-11e9-9815-78acc0a3b880">
<topic>drupal -- Drupal core - Moderately critical</topic>
<affects>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment