Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-27495

Disclosure Date: April 20, 2023 •

CVE-2023-27495 CVSS v3 Base Score: 6.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for CVE-2021-29624. Whenever userInfo parameter is missing, or its value can be predicted for the target user account, network and same-site attackers can 1. fixate a _csrf cookie in the victim’s browser, and 2. forge CSRF tokens that are valid for the victim’s session. This allows attackers to bypass the CSRF protection mechanism. As a fix, @fastify/csrf-protection starting from version 6.3.0 (and v4.1.0) includes a server-defined secret hmacKey that cryptographically binds the CSRF token to the value of the _csrf cookie and the userInfo parameter, making tokens non-spoofable by attackers. This protection is effective as long as the userInfo parameter is unique for each user. This is patched in versions 6.3.0 and v4.1.0. Users are advised to upgrade. Users unable to upgrade may use a random, non-predictable userInfo parameter for each user as a mitigation.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

6.5 Medium

Impact Score:

3.6

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

None

Vendors

fastify

Products

csrf-protection

References

Canonical

CVE-2023-27495 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27495)

Miscellaneous

https://github.com/fastify/csrf-protection/security/advisories/GHSA-qrgf-9gpc-vrxw

https://github.com/fastify/csrf-protection/commit/be3e5761f37aa05c7c1ac8ed44499c51ecec8058

https://www.cvedetails.com/cve/CVE-2021-29624

Rapid7

Unknown

CVE-2023-27495

Unknown

Unknown

Required

None

Network

CVE-2023-27495

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-27495

Unknown

Unknown

Required

None

Network

CVE-2023-27495

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification