PyPi: Buildbot

CVE-2019-7313

Safety vulnerability ID: 36865

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 03, 2019 Updated at May 07, 2024

Scan your Python projects for vulnerabilities →

Advisory

Buildbot 1.8.1 includes a fix for CVE-2019-7313: www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain.

Affected package

buildbot

Latest version: 3.11.2

The Continuous Integration Framework

Affected versions

Fixed versions

Vulnerability changelog

Deprecations and Removals
-------------------------

- Removed support for Python 2.7 in the buildbot master code.
Buildbot worker remains compatible with python2.7, and interoperability tests are run continuously.
- APIs that are not documented in the official Buildbot documentation have been
made private. Users of these undocumented APIs are encouraged to file bugs to
get them exposed.
- Removed support of old slave APIs from pre-0.9 days. Using old APIs may fail
silently. To avoid weird errors when upgrading a Buildbot installation that
may use old APIs, first upgrade to to 1.8.0 and make sure there are no
deprecated API warnings.
- Remove deprecated default value handling of the ``keypair_name`` and
``security_name`` attributes of ``EC2LatentWorker``.
- Support for ``Hyper.sh`` containers cloud provider has been removed as this
service has shutdown.

Bug fixes
---------

- Fix CRLF injection vulnerability with validating user provided redirect parameters (https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code)
Thanks to ``mik317`` and ``mariadb`` for reporting it.

- Fix lockup during master shutdown when there's a build with unanswered ping
from the worker and the TCP connection to worker is severed (issue:`4575`).
- Fix RemoteUserAuth.maybeAutLogin consumes bytes object as str leading to
TypeError during JSON serialization. (:issue:`4402`)
- Various database integrity problems were fixed. Most notably, it is now
possible to delete old changes without wiping all "child" changes in cascade
(:issue:`4539`, :pull:`4536`).
- The GitLab change hook secret is now rendered correctly. (:issue:`4118`).

Features
--------

- Identifiers can now contain UTF-8 characters which are not ASCII. This
includes worker names, builder names, and step names.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.1

CVSS v3 Details

MEDIUM 6.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): LOW
Availability Availability (A): NONE

CVSS v2 Details

MEDIUM 5.8

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL