CVE-2021-29624 - OpenCVE

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fastify	Fastify-csrf

Configuration 1 [-]

cpe:2.3:a:fastify:fastify-csrf:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
https://github.com/fastify/csrf/pull/2
https://github.com/fastify/fastify-csrf/pull/51
https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0
https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8
https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-05-19T21:15:28

Updated: 2024-08-03T22:11:06.350Z

Reserved: 2021-03-30T00:00:00

Link: CVE-2021-29624

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-05-19T22:15:07.837

Modified: 2022-10-25T20:56:24.977

Link: CVE-2021-29624

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "fastify-csrf", "vendor": "fastify", "versions": [{"status": "affected", "version": "< 3.1.0"}]}], "descriptions": [{"lang": "en", "value": "fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a \"double submit\" mechanism using cookies with an application deployed across multiple subdomains, e.g. \"heroku\"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-565", "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-19T21:15:28", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/csrf/pull/2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify-csrf/pull/51"}, {"tags": ["x_refsource_MISC"], "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0"}, {"tags": ["x_refsource_MISC"], "url": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf"}], "source": {"advisory": "GHSA-rc4q-9m69-gqp8", "discovery": "UNKNOWN"}, "title": "Lack of protection against cookie tossing attacks in fastify-csrf", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-29624", "STATE": "PUBLIC", "TITLE": "Lack of protection against cookie tossing attacks in fastify-csrf"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "fastify-csrf", "version": {"version_data": [{"version_value": "< 3.1.0"}]}}]}, "vendor_name": "fastify"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a \"double submit\" mechanism using cookies with an application deployed across multiple subdomains, e.g. \"heroku\"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-565: Reliance on Cookies without Validation and Integrity Checking"}]}]}, "references": {"reference_data": [{"name": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8", "refsource": "CONFIRM", "url": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8"}, {"name": "https://github.com/fastify/csrf/pull/2", "refsource": "MISC", "url": "https://github.com/fastify/csrf/pull/2"}, {"name": "https://github.com/fastify/fastify-csrf/pull/51", "refsource": "MISC", "url": "https://github.com/fastify/fastify-csrf/pull/51"}, {"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "refsource": "MISC", "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"}, {"name": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0", "refsource": "MISC", "url": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0"}, {"name": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf", "refsource": "MISC", "url": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf"}]}, "source": {"advisory": "GHSA-rc4q-9m69-gqp8", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:11:06.350Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/fastify/csrf/pull/2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/fastify/fastify-csrf/pull/51"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-29624", "datePublished": "2021-05-19T21:15:28", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2024-08-03T22:11:06.350Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify-csrf:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0F5A2AFF-5DF3-40ED-B043-5D581FC7E05E", "versionEndExcluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a \"double submit\" mechanism using cookies with an application deployed across multiple subdomains, e.g. \"heroku\"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains."}, {"lang": "es", "value": "fastify-csrf es un plugin de c\u00f3digo abierto que ayuda a desarrolladores a proteger su servidor Fastify contra ataques de tipo CSRF. Las versiones de fastify-csrf anterior a versi\u00f3n 3.1.0, presentan un mecanismo de \"double submit\" usando cookies con una aplicaci\u00f3n implementada en m\u00faltiples subdominios, por ejemplo, una plataforma de estilo \"heroku\" como servicio. La versi\u00f3n 3.1.0 de fastify-csrf corrige la vulnerabilidad. El usuario del m\u00f3dulo necesitar\u00eda suministrar un \"userInfo\" cuando se genera el token de tipo CSRF para implementar completamente la protecci\u00f3n en su extremo. Esto solo es necesario para aplicaciones alojadas en diferentes subdominios"}], "id": "CVE-2021-29624", "lastModified": "2022-10-25T20:56:24.977", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-05-19T22:15:07.837", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/fastify/csrf/pull/2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/fastify/fastify-csrf/pull/51"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-565"}], "source": "security-advisories@github.com", "type": "Secondary"}]}