Lucene search

Veracode Vulnerability DatabaseVERACODE:41119

HistoryJul 05, 2023 - 8:38 a.m.

Cross-Site Request Forgery (CSRF)

2023-07-0508:38:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

fastify-oauth2

csrf

state parameter

attacker

session

unauthorized access

user accounts

software

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.5%

JSON

fastify-oauth2, is vulnerable to Cross-Site Request Forgery. The vulnerability exists due to lack of randomness in the state parameter of index.js which allows an attacker to execute operations within the victim’s session, leading to unauthorized access to user accounts.

CPENameOperatorVersion
fastify-oauth2le4.6.0
@fastify/oauth2le7.1.1
fastify-oauth2le4.6.0
@fastify/oauth2le7.1.1

Name	Operator	Version
fastify-oauth2	le	4.6.0
@fastify/oauth2	le	7.1.1
fastify-oauth2	le	4.6.0
@fastify/oauth2	le	7.1.1

References

auth0.com/docs/secure/attack-protection/state-parameters

github.com/fastify/fastify-oauth2/commit/bff756b456cbb769080631af2beb85671ff4c79c

github.com/fastify/fastify-oauth2/releases/tag/v7.2.0

hackerone.com/reports/2020418

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.5%

JSON

Related for VERACODE:41119