-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper scope validation in ClientProtectedResourceMixin when allowed_scopes is empty. The check_application_scopes method (or equivalent scope validation routine) would appear in runtime traces during exploitation as it's the security control point for OAuth2 scope enforcement. The GitLab issue #688 and merge request !1011 specifically target this authorization check, and the CVE description explicitly names ClientProtectedResourceMixin as the vulnerable component. The function signature matches the Python class method structure that would appear in profiler output during OAuth2 authorization flows.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| aleksis-core | pip | < 2.9 | 2.9 |
PythonPythonOngoing coverage of React2Shell