CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29020 – Cross site request forgery token fixation in fastify-passport
https://notcve.org/view.php?id=CVE-2023-29020
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastify/passport` in affected versions, can be bypassed by network and same-site attackers. `fastify/csrf-protection` implements the synchronizer token pattern (using plugins `@fastify/session` and `@fastify/secure-session`) by storing a random value used for CSRF token generation in the `_csrf` attribute of a user's session. The `@fastify/passport` library does not clear the session object upon authentication, preserving the `_csrf` attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. • https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern https://github.com/fastify/fastify-passport/commit/07c90feab9cba0dd4779e47cfb0717a7e2f01d3d https://github.com/fastify/fastify-passport/security/advisories/GHSA-2ccf-ffrj-m4qw https://owasp.org/www-community/attacks/csrf • CWE-352: Cross-Site Request Forgery (CSRF) CWE-384: Session Fixation •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29019 – Session fixation in fastify-passport
https://notcve.org/view.php?id=CVE-2023-29019
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using `@fastify/passport` in affected versions for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the `@fastify/passport` library for user authentication. The login and user validation are performed by the `authenticate` function. When executing this function, the `sessionId` is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid `sessionId` cookie in the victim's browser and waiting for the victim to log in on the website. • https://github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11 https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9 https://owasp.org/www-community/attacks/Session_fixation • CWE-384: Session Fixation •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25896 – Session Fixation
https://notcve.org/view.php?id=CVE-2022-25896
This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. Esto afecta a el paquete passport versiones anteriores a 0.6.0. Cuando un usuario es conectado o desconectado, la sesión es regenerada en lugar de cerrarse A misleading session regeneration flaw was found in passport. When a user logs in or logs out, the session is regenerated instead of being closed. • https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608 https://github.com/jaredhanson/passport/pull/900 https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631 https://access.redhat.com/security/cve/CVE-2022-25896 https://bugzilla.redhat.com/show_bug.cgi?id=2111862 • CWE-384: Session Fixation •