Authenticating with deleted API Key

Moderate

martenson published GHSA-2rqh-4mp5-ccf3

Jun 27, 2023

Package

No package listed

Affected versions

dev

Patched versions

dev

Description

Summary

Galaxy can authenticate user using user's deleted API key as long as a new key is not created.

When a new key is created the old deleted key does not work anymore.

Severity

Moderate

4.9

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N