AIKIDO-2024-10422

fastapi-sso is vulnerable to Improper Authentication

91

Critical

fastapi-sso python

AIKIDO-2024-10422: fastapi-sso is vulnerable to Improper Authentication in versions 0.2.3 - 0.15.0.

Improper Authentication
Vuln in 0.2.3 - 0.15.0
Fixed in 0.16.0
No CVE available
TL;DR

A race condition bug in the login flow that could, in rare cases, allow one user to assume the identity of another due to concurrent login.

Who does this affect?

You're affected if you are using a version which is within vulnerability ranges.

How can it be fixed?

Upgrade fastapi-sso library to patch version. To fully support this fix, users must now use the SSO instance within an async with context manager. This adjustment is necessary for proper handling of asynchronous operations.

Background info

Link to vendor website

Logo
© 2024 Aikido Security BV | BE0792914919
🇪🇺 Grauwpoort 1, 9000 Ghent, Belgium
🇺🇸 95 Third St, 2nd Fl, San Francisco, CA 94103, US