Lucene search

GoogleOSV:GO-2022-1213

HistoryJan 03, 2023 - 11:05 p.m.

Insecure generation of cookies in github.com/go-macaron/csrf

2023-01-0323:05:24

Google

osv.dev

insecure generation

github.com

go-macaron/csrf

options.secure

ignore

software

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

41.7%

JSON

The Options.Secure value is ignored, and cookies created by Generate never have the secure attribute.

References

github.com/go-macaron/csrf/commit/dadd1711a617000b70e5e408a76531b73187031c

github.com/go-macaron/csrf/pull/7

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

41.7%

JSON

Related for OSV:GO-2022-1213