Veracode Vulnerability DatabaseVERACODE:40269Cross-site Request Forgery (CSRF)
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
20.3%
@fastify/csrf-protection is vulnerable to Cross-site Request Forgery (CSRF). An attackers is able to bypass the CSRF protection mechanism by fixing a _csrf cookie in the victim’s browser and forging valid CSRF tokens that are valid for the victim’s session.
References
github.com/fastify/csrf-protection/commit/4d95248fab9a946825fae2d8856e10c08ea5216b
github.com/fastify/csrf-protection/commit/be3e5761f37aa05c7c1ac8ed44499c51ecec8058
github.com/fastify/csrf-protection/pull/132
github.com/fastify/csrf-protection/security/advisories/GHSA-qrgf-9gpc-vrxw
www.cvedetails.com/cve/CVE-2021-29624
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
20.3%