Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhodzktMzVwMi1xMmM1
Steam Socialite Provider v1 does not correctly validate openid server
Impact
The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from steamcommunity.com, allowing a malicious actor to substitute their own openID server.
Patches
This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login.
For more information
If you have any questions or comments about this advisory:
- Open an issue in SocialiteProviders/Providers
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhodzktMzVwMi1xMmM1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-hhw9-35p2-q2c5
References:
- https://github.com/SocialiteProviders/Steam/security/advisories/GHSA-hhw9-35p2-q2c5
- https://packagist.org/packages/socialiteproviders/steam
- https://github.com/advisories/GHSA-hhw9-35p2-q2c5
Blast Radius: 0.0
Affected Packages
packagist:socialiteproviders/steam
Dependent packages: 1Dependent repositories: 21
Downloads: 228,658 total
Affected Version Ranges: < 1.1
Fixed in: 3.0
All affected versions: 1.0.0, 1.0.1
All unaffected versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 4.0.0, 4.1.0, 4.1.1, 4.2.0