CVE-2020-7780 - OpenCVE

This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Softwaremill	Akka-http-session

Configuration 1 [-]

cpe:2.3:a:softwaremill:akka-http-session:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41
https://github.com/softwaremill/akka-http-session/issues/74
https://github.com/softwaremill/akka-http-session/issues/77
https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352
https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654
https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-11-27T16:40:10.538198Z

Updated: 2024-09-17T04:24:28.153Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7780

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-27T17:15:12.093

Modified: 2020-12-04T15:08:17.427

Link: CVE-2020-7780

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "com.softwaremill.akka-http-session:core_2.13", "vendor": "n/a", "versions": [{"lessThan": "0.5.11", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "com.softwaremill.akka-http-session:core_2.12", "vendor": "n/a", "versions": [{"lessThan": "0.5.11", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "com.softwaremill.akka-http-session:core_2.11", "vendor": "n/a", "versions": [{"lessThan": "0.5.11", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Willem Vermeer"}], "datePublic": "2020-11-27T00:00:00", "descriptions": [{"lang": "en", "value": "This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Cross-site Request Forgery (CSRF)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-27T16:40:10", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/softwaremill/akka-http-session/issues/77"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/softwaremill/akka-http-session/issues/74"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41"}], "title": "Cross-site Request Forgery (CSRF)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-11-27T16:35:14.740953Z", "ID": "CVE-2020-7780", "STATE": "PUBLIC", "TITLE": "Cross-site Request Forgery (CSRF)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "com.softwaremill.akka-http-session:core_2.13", "version": {"version_data": [{"version_affected": "<", "version_value": "0.5.11"}]}}]}, "vendor_name": "n/a"}, {"product": {"product_data": [{"product_name": "com.softwaremill.akka-http-session:core_2.12", "version": {"version_data": [{"version_affected": "<", "version_value": "0.5.11"}]}}]}, "vendor_name": "n/a"}, {"product": {"product_data": [{"product_name": "com.softwaremill.akka-http-session:core_2.11", "version": {"version_data": [{"version_affected": "<", "version_value": "0.5.11"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Willem Vermeer"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655"}, {"name": "https://github.com/softwaremill/akka-http-session/issues/77", "refsource": "MISC", "url": "https://github.com/softwaremill/akka-http-session/issues/77"}, {"name": "https://github.com/softwaremill/akka-http-session/issues/74", "refsource": "MISC", "url": "https://github.com/softwaremill/akka-http-session/issues/74"}, {"name": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41", "refsource": "MISC", "url": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:01.565Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/softwaremill/akka-http-session/issues/77"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/softwaremill/akka-http-session/issues/74"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7780", "datePublished": "2020-11-27T16:40:10.538198Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-17T04:24:28.153Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:softwaremill:akka-http-session:*:*:*:*:*:*:*:*", "matchCriteriaId": "038B6CC8-C737-443E-9B33-81657D699BA8", "versionEndIncluding": "0.5.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie."}, {"lang": "es", "value": "Esto afecta al paquete com.softwaremill.akka-http-session:core_2.13 versiones anteriores a 0.5.11; el paquete com.softwaremill.akka-http-session:core_2.12 versiones anteriores a 0.5.11; el paquete com.softwaremill.akka-http-session:core_2.11 versiones anteriores a 0.5.11. Para versiones anteriores, unos endpoint protegidos por la funci\u00f3n randomTokenCsrfProtection podr\u00edan omitirse con un encabezado X-XSRF-TOKEN vac\u00edo y una cookie XSRF-TOKEN vac\u00eda"}], "id": "CVE-2020-7780", "lastModified": "2020-12-04T15:08:17.427", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2020-11-27T17:15:12.093", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/softwaremill/akka-http-session/issues/74"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/softwaremill/akka-http-session/issues/77"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}