ALAS-2014-425 ---- python-oauth2ID: oval:org.secpod.oval:def:1600011 | Date: (C)2016-01-19 (M)2023-02-20 |
Class: PATCH | Family: unix |
The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL. The make_nonce, generate_nonce, and generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.
Platform: |
Amazon Linux AMI |