You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
andrasbacsai
published
GHSA-496v-9q38-2x6cJan 24, 2025
Package
coolify
(coollabsio)
Affected versions
< v4.0.0-beta.361
Patched versions
v4.0.0-beta.361
Description
The missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration.
This exposes the "client id" and "client secret" for every custom OAuth provider.
The attacker can also modify the global OAuth configuration.
angelej Finder
The missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration.
This exposes the "client id" and "client secret" for every custom OAuth provider.
The attacker can also modify the global OAuth configuration.
PoC