GitHub_MCVELIST:CVE-2024-31205CVE-2024-31205 Saleor CSRF bypass in refreshToken mutation
4.2 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in refreshToken mutation, while the token persists in JWT_REFRESH_TOKEN_COOKIE_NAME cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token. This will fix the issue, but be aware, that it returns JWT_MISSING_TOKEN instead of JWT_INVALID_TOKEN.
CNA Affected
[
{
"vendor": "saleor",
"product": "saleor",
"versions": [
{
"version": ">= 3.10.0, < 3.14.64",
"status": "affected"
},
{
"version": ">= 3.15.0, < 3.15.39",
"status": "affected"
},
{
"version": ">= 3.16.0, < 3.16.39",
"status": "affected"
},
{
"version": ">= 3.17.0, < 3.17.35",
"status": "affected"
},
{
"version": ">= 3.18.0, < 3.18.31",
"status": "affected"
},
{
"version": ">= 3.19.0, < 3.19.19",
"status": "affected"
}
]
}
]Related
4.2 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%