CVE-2018-1000843 - OpenCVE

Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability appears to have been fixed in 2.8.0 and later.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Spotify	Luigi

Configuration 1 [-]

cpe:2.3:a:spotify:luigi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/spotify/luigi/blob/2.7.9/luigi/server.py#L67
https://github.com/spotify/luigi/pull/1870
https://groups.google.com/forum/#%21topic/luigi-user/ZgfRTpBsVUY

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-12-20T15:00:00Z

Updated: 2024-09-16T17:43:37.968Z

Reserved: 2018-12-20T00:00:00Z

Link: CVE-2018-1000843

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-12-20T15:29:02.047

Modified: 2023-11-07T02:51:13.777

Link: CVE-2018-1000843

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-11-27T00:00:00", "descriptions": [{"lang": "en", "value": "Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability appears to have been fixed in 2.8.0 and later."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-20T15:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/spotify/luigi/pull/1870"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/luigi-user/ZgfRTpBsVUY"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/spotify/luigi/blob/2.7.9/luigi/server.py#L67"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-11-27T13:54:33.480387", "DATE_REQUESTED": "2018-11-02T13:25:28", "ID": "CVE-2018-1000843", "REQUESTER": "honnix@spotify.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability appears to have been fixed in 2.8.0 and later."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/spotify/luigi/pull/1870", "refsource": "MISC", "url": "https://github.com/spotify/luigi/pull/1870"}, {"name": "https://groups.google.com/forum/#!topic/luigi-user/ZgfRTpBsVUY", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/luigi-user/ZgfRTpBsVUY"}, {"name": "https://github.com/spotify/luigi/blob/2.7.9/luigi/server.py#L67", "refsource": "MISC", "url": "https://github.com/spotify/luigi/blob/2.7.9/luigi/server.py#L67"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:47:57.573Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/spotify/luigi/pull/1870"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/luigi-user/ZgfRTpBsVUY"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/spotify/luigi/blob/2.7.9/luigi/server.py#L67"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000843", "datePublished": "2018-12-20T15:00:00Z", "dateReserved": "2018-12-20T00:00:00Z", "dateUpdated": "2024-09-16T17:43:37.968Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:spotify:luigi:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F5014BB-150D-476C-95A5-14D0229116B9", "versionEndExcluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability appears to have been fixed in 2.8.0 and later."}, {"lang": "es", "value": "Luigi, en versiones anteriores a la 2.8.0, tras el commit con ID 53b52e12745075a8acc016d33945d9d6a7a6aaeb y tras GitHub PR spotify/luigi/pull/1870, contiene una vulnerabilidad Cross-Site Request Forgery (CSRF) en el endpoint de la API /api/method, que puede resultar en que metadatos de tareas como task name, id, parameter, etc., sean filtrados a usuarios no autorizados. Este ataque parece ser explotable si la v\u00edctima visita una p\u00e1gina web especialmente manipulada desde la red en la que se puede acceder al servidor de Luigi. La vulnerabilidad parece haber sido solucionada en las versiones 2.8.0 y siguientes."}], "id": "CVE-2018-1000843", "lastModified": "2023-11-07T02:51:13.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-20T15:29:02.047", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/spotify/luigi/blob/2.7.9/luigi/server.py#L67"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/spotify/luigi/pull/1870"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/luigi-user/ZgfRTpBsVUY"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}