Miggo Logo
Miggo Vulnerability Database
CVE-2022-29773

CVE-2022-29773: Access control issue in AlekSIS-Core

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-29773
GHSA ID
GHSA-76x2-h8h3-cwjg
EPSS Score
0.50543%
CWE
CWE-863
Published
6/4/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
aleksis-corepip< 2.92.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper scope validation in ClientProtectedResourceMixin when allowed_scopes is empty. The check_application_scopes method (or equivalent scope validation routine) would appear in runtime traces during exploitation as it's the security control point for OAuth2 scope enforcement. The GitLab issue #688 and merge request !1011 specifically target this authorization check, and the CVE description explicitly names ClientProtectedResourceMixin as the vulnerable component. The function signature matches the Python class method structure that would appear in profiler output during OAuth2 authorization flows.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ****ss *ontrol issu* in *l*ksis/*or*/util/*ut*_**lp*rs.py: *li*ntProt**t**R*sour**Mixin o* *l*kSIS-*or* v*.*.* *n* **low *llows *tt**k*rs to ****ss *r*itr*ry s*op*s i* no *llow** s*op*s *r* sp**i*i**lly s*t.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*op* v*li**tion in *li*ntProt**t**R*sour**Mixin w**n *llow**_s*op*s is *mpty. T** ****k_*ppli**tion_s*op*s m*t*o* (or *quiv*l*nt s*op* v*li**tion routin*) woul* *pp**r in runtim* tr***s *urin* *xploit*tion *s it