Lucene search

MitreCVE-2018-20595

HistoryDec 30, 2018 - 6:29 p.m.

CVE-2018-20595

2018-12-3018:29:00

CWE-352

mitre

web.nvd.nist.gov

csrf

web security

authentication

java

oauth2

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.002

Percentile

53.3%

JSON

A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful.

Affected configurations

Nvd

Node

hswebhswebMatch3.0.4

VendorProductVersionCPE
hswebhsweb3.0.4cpe:2.3:a:hsweb:hsweb:3.0.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
hsweb	hsweb	3.0.4	cpe:2.3:a:hsweb:hsweb:3.0.4:::::::*

References

github.com/hs-web/hsweb-framework/commit/40929e9b0d336a26281a5ed2e0e721d54dd8d2f2

github.com/hs-web/hsweb-framework/issues/107

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.002

Percentile

53.3%

JSON

Related for CVE-2018-20595