Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Wasp has case insensitive OAuth ID vulnerability
Vulnerability Description
Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration.
CVSS Information
N/A
Vulnerability Type
缺省权限不正确
Vulnerability Title
wasp-lang Wasp 安全漏洞
Vulnerability Description
wasp-lang Wasp是wasp-lang开源的一个使用React和Node.js开发全栈web应用程序的最快方法。 wasp-lang Wasp 0.16.6之前版本存在安全漏洞,该漏洞源于OAuth用户ID小写化不当,可能导致用户冒充和权限提升。
CVSS Information
N/A
Vulnerability Type
N/A