CVE-2021-29437
CVE-2021-29437 is a high-severity vulnerability in Scratchoauth2 Project Scratchoauth2 with a CVSS 3.x base score of 8.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.
Key facts
- Severity: High (CVSS 3.x base score 8.0)
- CVSS v2: 4.0
- EPSS exploit prediction: 1% (52nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-863
- Affected product: Scratchoauth2 Project Scratchoauth2
- Published:
- Last modified:
Description
ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd party site asks user for Scratch username. 3. 3rd party site pretends to be user and gets login code from ScratchOAuth2. 4. 3rd party site gives code to user and instructs them to post it on their profile. 5. User posts code on their profile, not knowing it is a ScratchOAuth2 login code. 6. 3rd party site completes login with ScratchOAuth2. 7. 3rd party site has full access to anything the user could do if they directly logged in. See referenced GitHub security advisory for patch notes and workarounds.
Frequently asked questions
- What is CVE-2021-29437?
- ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd party site asks user for Scratch username. 3. 3rd party site pretends to be user and gets login code from ScratchOAuth2. 4. 3rd party site gives code to user and instructs them to post it on their profile. 5. User posts code on their profile, not knowing it is a ScratchOAuth2 login code. 6. 3rd party site completes login with ScratchOAuth2. 7. 3rd party site has full access to anything the user could do if they directly logged in. See referenced GitHub security advisory for patch notes and workarounds.
- How severe is CVE-2021-29437?
- CVE-2021-29437 has a CVSS 3.x base score of 8.0, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2021-29437 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (52nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-29437?
- CVE-2021-29437 affects Scratchoauth2 Project Scratchoauth2. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-29437?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-29437 published?
- CVE-2021-29437 was published on 2021-04-13 and last updated on 2026-06-17.
References
- https://github.com/ScratchVerifier/ScratchOAuth2/commit/9220c2a77eda3df37a84486ad722f1ad0985d8e7
- https://github.com/ScratchVerifier/ScratchOAuth2/security/advisories/GHSA-gvpg-23fh-8g75
Affected products (1)
- cpe:2.3:a:scratchoauth2_project:scratchoauth2:*:*:*:*:*:scratch:*:*
More vulnerabilities in Scratchoauth2 Project Scratchoauth2
- CVE-2021-46250 — Critical (CVSS 10.0): An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows…
- CVE-2021-46249 — Medium (CVSS 6.5): An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit…
- CVE-2021-46251 — Medium (CVSS 6.1): A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows…
All CVEs affecting Scratchoauth2 Project Scratchoauth2 →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →