CVE-2023-40021 - Vulnerability Details

Vendors	Products
Oppia	Oppia

Source	ID	Title
EUVD	EUVD-2023-44640	Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator (`==`), which is not safe against timing attacks. By repeatedly submitting invalid tokens, an attacker can brute-force the expected CSRF token character by character. Once they have recovered the token, they can then submit a forged request on behalf of a logged-in user and execute privileged actions on that user's behalf. In particular the function to validate received CSRF tokens is at `oppia.core.controllers.base.CsrfTokenManager.is_csrf_token_valid`. An attacker who can lure a logged-in Oppia user to a malicious website can perform any change on Oppia that the user is authorized to do, including changing profile information; creating, deleting, and changing explorations; etc. Note that the attacker cannot change a user's login credentials. An attack would need to complete within 1 second because every second, the time used in computing the token changes. This issue has been addressed in commit `b89bf80837` which has been included in release `3.3.2-hotfix-2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Link	Providers
https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990
https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23
https://github.com/oppia/oppia/pull/18769
https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40021", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-08T13:46:25.243Z", "datePublished": "2023-08-16T20:25:22.726Z", "dateUpdated": "2024-10-03T13:37:09.373Z"}, "containers": {"cna": {"title": "Timing Attack Reveals CSRF Tokens in oppia", "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "lang": "en", "description": "CWE-203: Observable Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532"}, {"name": "https://github.com/oppia/oppia/pull/18769", "tags": ["x_refsource_MISC"], "url": "https://github.com/oppia/oppia/pull/18769"}, {"name": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23", "tags": ["x_refsource_MISC"], "url": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23"}, {"name": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990", "tags": ["x_refsource_MISC"], "url": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990"}], "affected": [{"vendor": "oppia", "product": "oppia", "versions": [{"version": ">= 1.1.0, < 3.3.2-hotfix-2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-16T20:25:22.726Z"}, "descriptions": [{"lang": "en", "value": "Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator (`==`), which is not safe against timing attacks. By repeatedly submitting invalid tokens, an attacker can brute-force the expected CSRF token character by character. Once they have recovered the token, they can then submit a forged request on behalf of a logged-in user and execute privileged actions on that user's behalf. In particular the function to validate received CSRF tokens is at `oppia.core.controllers.base.CsrfTokenManager.is_csrf_token_valid`. An attacker who can lure a logged-in Oppia user to a malicious website can perform any change on Oppia that the user is authorized to do, including changing profile information; creating, deleting, and changing explorations; etc. Note that the attacker cannot change a user's login credentials. An attack would need to complete within 1 second because every second, the time used in computing the token changes. This issue has been addressed in commit `b89bf80837` which has been included in release `3.3.2-hotfix-2`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-49jp-pjc3-2532", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.658Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532"}, {"name": "https://github.com/oppia/oppia/pull/18769", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oppia/oppia/pull/18769"}, {"name": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23"}, {"name": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990"}]}, {"affected": [{"vendor": "oppia", "product": "oppia", "cpes": ["cpe:2.3:a:oppia:oppia:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.1.0", "status": "affected", "lessThan": "3.3.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T13:33:01.578679Z", "id": "CVE-2023-40021", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T13:37:09.373Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40021", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-08T13:46:25.243Z", "datePublished": "2023-08-16T20:25:22.726Z", "dateUpdated": "2024-10-03T13:37:09.373Z"}, "containers": {"cna": {"title": "Timing Attack Reveals CSRF Tokens in oppia", "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "lang": "en", "description": "CWE-203: Observable Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532"}, {"name": "https://github.com/oppia/oppia/pull/18769", "tags": ["x_refsource_MISC"], "url": "https://github.com/oppia/oppia/pull/18769"}, {"name": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23", "tags": ["x_refsource_MISC"], "url": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23"}, {"name": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990", "tags": ["x_refsource_MISC"], "url": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990"}], "affected": [{"vendor": "oppia", "product": "oppia", "versions": [{"version": ">= 1.1.0, < 3.3.2-hotfix-2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-16T20:25:22.726Z"}, "descriptions": [{"lang": "en", "value": "Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator (`==`), which is not safe against timing attacks. By repeatedly submitting invalid tokens, an attacker can brute-force the expected CSRF token character by character. Once they have recovered the token, they can then submit a forged request on behalf of a logged-in user and execute privileged actions on that user's behalf. In particular the function to validate received CSRF tokens is at `oppia.core.controllers.base.CsrfTokenManager.is_csrf_token_valid`. An attacker who can lure a logged-in Oppia user to a malicious website can perform any change on Oppia that the user is authorized to do, including changing profile information; creating, deleting, and changing explorations; etc. Note that the attacker cannot change a user's login credentials. An attack would need to complete within 1 second because every second, the time used in computing the token changes. This issue has been addressed in commit `b89bf80837` which has been included in release `3.3.2-hotfix-2`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-49jp-pjc3-2532", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.658Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532"}, {"name": "https://github.com/oppia/oppia/pull/18769", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oppia/oppia/pull/18769"}, {"name": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23"}, {"name": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40021", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-03T13:33:01.578679Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:oppia:oppia:*:*:*:*:*:*:*:*"], "vendor": "oppia", "product": "oppia", "versions": [{"status": "affected", "version": "1.1.0", "lessThan": "3.3.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T13:33:56.674Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oppia:oppia:*:*:*:*:*:*:*:*", "matchCriteriaId": "87F65B5D-6454-4E3C-A7A5-F1FEEC6DC78C", "versionEndExcluding": "3.3.2", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oppia:oppia:3.3.2:-:*:*:*:*:*:*", "matchCriteriaId": "7B0060B6-6E1F-4B0F-8A6B-3437450C94C3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator (`==`), which is not safe against timing attacks. By repeatedly submitting invalid tokens, an attacker can brute-force the expected CSRF token character by character. Once they have recovered the token, they can then submit a forged request on behalf of a logged-in user and execute privileged actions on that user's behalf. In particular the function to validate received CSRF tokens is at `oppia.core.controllers.base.CsrfTokenManager.is_csrf_token_valid`. An attacker who can lure a logged-in Oppia user to a malicious website can perform any change on Oppia that the user is authorized to do, including changing profile information; creating, deleting, and changing explorations; etc. Note that the attacker cannot change a user's login credentials. An attack would need to complete within 1 second because every second, the time used in computing the token changes. This issue has been addressed in commit `b89bf80837` which has been included in release `3.3.2-hotfix-2`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "id": "CVE-2023-40021", "lastModified": "2024-11-21T08:18:31.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-16T21:15:09.880", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/oppia/oppia/pull/18769"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/oppia/oppia/pull/18769"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object