chore(deps): update dependency authlib to v1.6.11 [security]

[agntcy-automation]

This PR contains the following updates:

Package	Change	Age	Confidence
authlib	1.6.10 → 1.6.11

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Authlib: Cross-site request forging when using cache

GHSA-jj8c-mmj3-mmgv

More information

Details

Summary

There is no CSRF protection on the cache feature on most integrations clients.

Details

In authlib.integrations.starlette_client.OAuth, no CSRF protection is set up when using the cache parameter. When not using the cache parameter, the use of SessionMiddleware ties the client to the auth state, preventing CSRF attacks. With the cache, there is no such mechanism. Other integratons have the same issue, it's not just starlette.

The state parameter is taken from the callback URL and the state is fetched from the cache without checking that it is the same client calling the redirect endpoint as was the one that initiated the auth flow.

This issue is documented in RFC 6749 section 10.12:
https://datatracker.ietf.org/doc/html/rfc6749#section-10.12

PoC

• Set up a Starlette integration with a cache
• The attacker starts the auth flow up until before the callback URL is followed.
• The attacked sends the redirect URL to the victim
• The victim now completes the authorisation

Impact

This impacts all users that use the cache to store auth state.

All users will be vulnerable to CSRF attacks and may have an attacker's account tied to their own. In our specific scenario, this allowed attackers to push invoices into a victim's account, ready to be paid. Very serious.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv
• https://github.com/authlib/authlib

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

authlib/authlib (authlib)

v1.6.11

Compare Source

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

[agntcy-automation]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: uv.lock

spawn uv ENOENT

File name: undefined

Command failed: task helm:gen
�[31mtask: Task "helm:gen" does not exist
�[0m

File name: undefined

Command failed: task deps:tidy
�[31mtask: Task "deps:tidy" does not exist
�[0m