Login Sign Up

CVE-2021-29437

8.0 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows third-party websites to trick Scratch users into revealing OAuth2 login codes, enabling attackers to impersonate users and gain full access to their Scratch accounts. It affects users of ScratchOAuth2 implementations who interact with malicious websites. The flaw is in the OAuth2 implementation's authentication flow.

💻 Affected Systems

Products:
  • ScratchOAuth2
Versions: All versions before commit 9220c2a77eda3df37a84486ad722f1ad0985d8e7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any implementation using the vulnerable ScratchOAuth2 library.

📦 What is this software?

Scratchoauth2 by Scratchoauth2 Project

View all CVEs affecting Scratchoauth2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of user's Scratch account, allowing them to modify projects, post malicious content, steal personal data, and perform actions as the victim.

🟠

Likely Case

Account takeover leading to unauthorized modifications of user projects, posting of malicious content, and potential data theft.

🟢

If Mitigated

Limited impact if users are educated about phishing risks and avoid posting codes from untrusted sources.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires social engineering to trick users into posting codes, but the technical complexity is low.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 9220c2a77eda3df37a84486ad722f1ad0985d8e7

Vendor Advisory: https://github.com/ScratchVerifier/ScratchOAuth2/security/advisories/GHSA-gvpg-23fh-8g75

Restart Required: No

Instructions:

1. Update to the patched version of ScratchOAuth2. 2. Apply commit 9220c2a77eda3df37a84486ad722f1ad0985d8e7. 3. Verify the fix by testing the OAuth2 flow.

🔧 Temporary Workarounds

User Education

all

Educate users to never post codes from third-party websites on their Scratch profiles.

🧯 If You Can't Patch

  • Disable ScratchOAuth2 integration until patched
  • Implement additional authentication checks before accepting OAuth2 codes

🔍 How to Verify

Check if Vulnerable:

Check if your ScratchOAuth2 version is before commit 9220c2a77eda3df37a84486ad722f1ad0985d8e7.

Check Version:

git log --oneline | grep 9220c2a77eda3df37a84486ad722f1ad0985d8e7

Verify Fix Applied:

Verify the commit 9220c2a77eda3df37a84486ad722f1ad0985d8e7 is applied and test that OAuth2 codes cannot be intercepted via user profile posting.

📡 Detection & Monitoring

Log Indicators:

  • Unusual OAuth2 login patterns
  • Multiple failed login attempts from same IP

Network Indicators:

  • Traffic to known malicious domains requesting Scratch usernames

SIEM Query:

source="oauth2_logs" AND (event="login_code_posted" OR event="unusual_auth_flow")

📊 Metadata

CVE ID: CVE-2021-29437
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-863
Published: April 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29437, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)