CVE-2021-22963 – fastify-static: open redirect via an URL with double slash followed by a domain
https://notcve.org/view.php?id=CVE-2021-22963
A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false. Una vulnerabilidad de redirección en el módulo fastify-static versiones anteriores a 4.2.4, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios por medio de una doble barra // seguida de un dominio: http://localhost:3000//google.com/%2e%2e. El problema aparece en todas las aplicaciones fastify-static que establecen la opción redirect: true. Por defecto, es false • https://hackerone.com/reports/1354255 https://access.redhat.com/security/cve/CVE-2021-22963 https://bugzilla.redhat.com/show_bug.cgi?id=2015152 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2021-22964
https://notcve.org/view.php?id=CVE-2021-22964
A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e`.A DOS vulnerability is possible if the URL contains invalid characters `curl --path-as-is "http://localhost:3000//^/.."`The issue shows up on all the `fastify-static` applications that set `redirect: true` option. By default, it is `false`. Una vulnerabilidad de redirección en el módulo "fastify-static" versiones posteriores a 4.2.4 incluyéndola, y anteriores a 4.4.1, permite a atacantes remotos redirigir a usuarios de Mozilla Firefox a sitios web arbitrarios por medio de una doble barra "//" seguida de un dominio: "http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e". Es posible una vulnerabilidad de DOS si la URL contiene caracteres no válidos "curl --path-as-is "http://localhost:3000//^/.." • https://hackerone.com/reports/1361804 • CWE-400: Uncontrolled Resource Consumption CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2021-29624 – Lack of protection against cookie tossing attacks in fastify-csrf
https://notcve.org/view.php?id=CVE-2021-29624
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. • https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html https://github.com/fastify/csrf/pull/2 https://github.com/fastify/fastify-csrf/pull/51 https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0 https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8 https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf • CWE-352: Cross-Site Request Forgery (CSRF) CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVE-2021-21321 – Prefix escape
https://notcve.org/view.php?id=CVE-2021-21321
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is "/pub/", a user expect that accessing "/priv" on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.0.2. fastify-reply-from es un paquete npm que es un plugin fastify para reenviar la petición http actual a otro servidor. • https://github.com/fastify/fastify-reply-from/commit/dea227dda606900cc01870d08541b4dcc69d3889 https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-qmw8-3v4g-gwj4 https://www.npmjs.com/package/fastify-reply-from https://access.redhat.com/security/cve/CVE-2021-21321 https://bugzilla.redhat.com/show_bug.cgi?id=1942178 • CWE-20: Improper Input Validation •
CVE-2021-21322 – Prefix escape
https://notcve.org/view.php?id=CVE-2021-21322
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing `/priv` on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.3.1. fastify-http-proxy es un paquete npm que es un plugin fastify para enviar sus peticiones http a otro servidor, con hooks. • https://github.com/fastify/fastify-http-proxy/commit/02d9b43c770aa16bc44470edecfaeb7c17985016 https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-c4qr-gmr9-v23w https://www.npmjs.com/package/fastify-http-proxy https://access.redhat.com/security/cve/CVE-2021-21322 https://bugzilla.redhat.com/show_bug.cgi?id=1942182 • CWE-20: Improper Input Validation •