CVE-2023-45857 - OpenCVE

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Axios	Axios
Redhat	Ansible Automation Platform Container Native Virtualization Migration Toolkit Applications Migration Toolkit Runtimes Rhmt

Configuration 1 [-]

cpe:2.3:a:axios:axios:1.5.1:*:*:*:*:node.js:*:*

Package	CPE	Advisory	Released Date
Migration Toolkit for Runtimes 1 on RHEL 8
axios	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:3920	2024-06-13T00:00:00Z
MTA-6.2-RHEL-9
mta/mta-windup-addon-rhel9:6.2.3-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:3989	2024-06-20T00:00:00Z
MTA-7.0-RHEL-9
mta/mta-cli-rhel9:7.0.3-16	cpe:/a:redhat:migration_toolkit_applications:7.0::el9	RHSA-2024:3316	2024-05-23T00:00:00Z
mta/mta-ui-rhel9:7.0.3-13	cpe:/a:redhat:migration_toolkit_applications:7.0::el9	RHSA-2024:3316	2024-05-23T00:00:00Z
Red Hat Ansible Automation Platform 2.4 for RHEL 8
automation-controller-0:4.5.5-2.el8ap	cpe:/a:redhat:ansible_automation_platform:2.4::el8	RHSA-2024:1640	2024-04-02T00:00:00Z
Red Hat Ansible Automation Platform 2.4 for RHEL 9
automation-controller-0:4.5.5-2.el9ap	cpe:/a:redhat:ansible_automation_platform:2.4::el9	RHSA-2024:1640	2024-04-02T00:00:00Z
Red Hat Migration Toolkit for Containers 1.8
rhmtc/openshift-migration-ui-rhel8:v1.8.3-4	cpe:/a:redhat:rhmt:1.8::el8	RHSA-2024:1925	2024-04-18T00:00:00Z
RHEL-8-CNV-4.12
container-native-virtualization/kubevirt-console-plugin:v4.12.12-7	cpe:/a:redhat:container_native_virtualization:4.12::el8	RHSA-2024:4269	2024-07-02T00:00:00Z
RHEL-9-CNV-4.13
container-native-virtualization/kubevirt-console-plugin-rhel9:v4.13.10-387	cpe:/a:redhat:container_native_virtualization:4.13::el9	RHSA-2024:5314	2024-08-13T00:00:00Z
RHEL-9-CNV-4.14
container-native-virtualization/kubevirt-console-plugin-rhel9:v4.14.6-195	cpe:/a:redhat:container_native_virtualization:4.14::el9	RHSA-2024:3473	2024-05-29T00:00:00Z
RHEL-9-CNV-4.15
container-native-virtualization/kubevirt-console-plugin-rhel9:v4.15.2-383	cpe:/a:redhat:container_native_virtualization:4.15::el9	RHSA-2024:3314	2024-05-23T00:00:00Z
RHEL-9-CNV-4.16
container-native-virtualization/kubevirt-console-plugin-rhel9:v4.16.0-4001	cpe:/a:redhat:container_native_virtualization:4.16::el9	RHSA-2024:4455	2024-07-10T00:00:00Z

References

Link	Providers
https://github.com/axios/axios/issues/6006
https://nvd.nist.gov/vuln/detail/CVE-2023-45857
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.cve.org/CVERecord?id=CVE-2023-45857

History

Tue, 13 Aug 2024 22:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:container_native_virtualization:4.13::el9

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-11-08T00:00:00

Updated: 2024-09-04T15:15:16.506Z

Reserved: 2023-10-14T00:00:00

Link: CVE-2023-45857

Vulnrichment

Updated: 2024-08-02T20:29:32.674Z

NVD

Status : Modified

Published: 2023-11-08T21:15:08.550

Modified: 2024-06-21T19:15:29.593

Link: CVE-2023-45857

Redhat

Severity : Moderate

Publid Date: 2023-11-09T00:00:00Z

Links: CVE-2023-45857 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object