ghsa-rc4q-9m69-gqp8
Vulnerability from github
Published
2021-05-17 20:53
Modified
2021-05-17 20:29
Severity ?
VLAI Severity ?
Summary
Lack of protection against cookie tossing attacks in fastify-csrf
Details
Impact
Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service.
Patches
Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2.
The user of the module would need to supply a userInfo
when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.
Workarounds
None available.
References
- https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
- https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
Credits
This vulnerability was found by Xhelal Likaj xhelallikaj20@gmail.com.
For more information
If you have any questions or comments about this advisory: * Open an issue in fastify-csrf * Email us at hello@matteocollina.com
{ "affected": [ { "package": { "ecosystem": "npm", "name": "fastify-csrf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.1.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-29624" ], "database_specific": { "cwe_ids": [ "CWE-352", "CWE-565" ], "github_reviewed": true, "github_reviewed_at": "2021-05-17T20:29:48Z", "nvd_published_at": "2021-05-19T22:15:00Z", "severity": "MODERATE" }, "details": "### Impact\n\nUsers that used fastify-csrf with the \"double submit\" mechanism using cookies with an application deployed across multiple subdomains, e.g. \"heroku\"-style platform as a service. \n\n### Patches\n\nVersion 3.1.0 of the fastify-csrf fixes it. \nSee https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2.\n\nThe user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.\n\n### Workarounds\n\nNone available.\n\n### References\n\n1. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html\n2. https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf\n\n### Credits\n\nThis vulnerability was found by Xhelal Likaj \u003cxhelallikaj20@gmail.com\u003e.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [fastify-csrf](https://github.com/fastify/fastify-csrf)\n* Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)\n", "id": "GHSA-rc4q-9m69-gqp8", "modified": "2021-05-17T20:29:48Z", "published": "2021-05-17T20:53:30Z", "references": [ { "type": "WEB", "url": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29624" }, { "type": "WEB", "url": "https://github.com/fastify/csrf/pull/2" }, { "type": "WEB", "url": "https://github.com/fastify/fastify-csrf/pull/51" }, { "type": "WEB", "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html" }, { "type": "WEB", "url": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0" }, { "type": "WEB", "url": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Lack of protection against cookie tossing attacks in fastify-csrf" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…