Skip to main content

Passport CVE-2023-29020

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2023-04-21 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 21, 2023 - 23:15 nvd
MEDIUM 6.5

DescriptionNVD

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers. fastify/csrf-protection implements the synchronizer token pattern (using plugins @fastify/session and @fastify/secure-session) by storing a random value used for CSRF token generation in the _csrf attribute of a user's session. The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of @fastify/passport include the configuration options: clearSessionOnLogin (default: true) and clearSessionIgnoreFields (default: ['passport', 'session']) to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields.

AnalysisAI

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. @fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers. fastify/csrf-protection implements the synchronizer token pattern (using plugins @fastify/session and @fastify/secure-session) by storing a random value used for CSRF token generation in the _csrf attribute of a user's session. The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of @fastify/passport include the configuration options: clearSessionOnLogin (default: true) and clearSessionIgnoreFields (default: ['passport', 'session']) to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields. Affected products include: Fastify Passport.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

Share

CVE-2023-29020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy