Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 pypi | | =1.7.0 || >=1.7.0 <1.7.1 || >=0 <1.6.12 | 1.7.1, 1.6.12 |
 debian 11 | | =0.15.4-1 || =0.15.4-1+deb11u1 || =0.15.4-1+deb11u2 || =0.15.4-2 || =0.15.5-1 || =1.0.0-1 || =1.0.1-1 || =1.1.0-1 || =1.1.0-2 || =1.2.0-1 || =1.2.1-1 || =1.3.0-1 || =1.3.0-2 || =1.3.0-3 || =1.3.1-1 || =1.3.2-1 || =1.3.2-2 || =1.4.0-1 || =1.4.1-1 || =1.5.0-1 || =1.5.1-1 || =1.5.2-1 || =1.6.0-1 || =1.6.1-1 || =1.6.3-1 || =1.6.4-1 || =1.6.5-1 || =1.6.6-1 || =1.6.7-1 || =1.6.8-1 || =1.6.9-1 || =1.7.0-1 || =1.7.2-1 | - |
debian 12 | | =1.2.0-1 || =1.2.0-1+deb12u1 || =1.2.1-1 || =1.3.0-1 || =1.3.0-2 || =1.3.0-3 || =1.3.1-1 || =1.3.2-1 || =1.3.2-2 || =1.4.0-1 || =1.4.1-1 || =1.5.0-1 || =1.5.1-1 || =1.5.2-1 || =1.6.0-1 || =1.6.1-1 || =1.6.3-1 || =1.6.4-1 || =1.6.5-1 || =1.6.6-1 || =1.6.7-1 || =1.6.8-1 || =1.6.9-1 || =1.7.0-1 || =1.7.2-1 | - |
debian 13 | | =1.6.0-1 || =1.6.0-1+deb13u1 || =1.6.1-1 || =1.6.3-1 || =1.6.4-1 || =1.6.5-1 || =1.6.6-1 || =1.6.7-1 || =1.6.8-1 || =1.6.9-1 || =1.7.0-1 || =1.7.2-1 | - |
debian 14 | | =1.6.0-1 || =1.6.1-1 || =1.6.3-1 || =1.6.4-1 || =1.6.5-1 || =1.6.6-1 || =1.6.7-1 || =1.6.8-1 || =1.6.9-1 || =1.7.0-1 || >=0 <1.7.2-1 | 1.7.2-1 |
