Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under state{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.
Weakness
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Authlib | Authlib | * | 1.6.6 (excluding) |
| Red Hat Quay 3.15 | RedHat | quay/quay-rhel8:1775169219 | * |
| Red Hat Quay 3.16 | RedHat | quay/quay-rhel9:1775069491 | * |
| Red Hat Quay 3.16 | RedHat | quay/quay-rhel9:1775169226 | * |
| Red Hat Satellite 6.18 | RedHat | satellite/foreman-mcp-server-rhel9:1782228427 | * |
| Python-authlib | Ubuntu | esm-apps/noble | * |
| Python-authlib | Ubuntu | noble | * |
| Python-authlib | Ubuntu | plucky | * |
| Python-authlib | Ubuntu | questing | * |
| Python-authlib | Ubuntu | upstream | * |
Potential Mitigations
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
- Use the “double-submitted cookie” method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/467.html
- https://cwe.mitre.org/data/definitions/62.html
References
- https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489
- https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228
- https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523
- https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523