CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35220 – @fastify/session reuses destroyed session cookie
https://notcve.org/view.php?id=CVE-2024-35220
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0. @fastify/session es un complemento de sesión para fastify. • https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f https://github.com/fastify/session/issues/251 https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg • CWE-613: Insufficient Session Expiration •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31999 – @fastify/secure-session: Reuse of destroyed secure session cookie
https://notcve.org/view.php?id=CVE-2024-31999
@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. • https://github.com/fastify/fastify-secure-session/commit/56d66642ecc633cff0606927601e81cdac361370 https://github.com/fastify/fastify-secure-session/security/advisories/GHSA-9wwp-q7wq-jx35 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51701 – @fastify-reply-from JSON Content-Type parsing confusion
https://notcve.org/view.php?id=CVE-2023-51701
fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with `@fastify/reply-from` could misinterpret the incoming body by passing an header `ContentType: application/json ; charset=utf-8`. This can lead to bypass of security checks. This vulnerability has been patched in '@fastify/reply-from` version 9.6.0. fastify-reply-from es un complemento de Fastify para reenviar la solicitud HTTP actual a otro servidor. Un servidor proxy inverso creado con `@fastify/reply-from` podría malinterpretar el cuerpo entrante al pasar un encabezado `ContentType: application/json; charset=utf-8`. • https://github.com/fastify/fastify-reply-from/releases/tag/v9.6.0 https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-v2v2-hph8-q5xp • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31999
https://notcve.org/view.php?id=CVE-2023-31999
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object. • https://auth0.com/docs/secure/attack-protection/state-parameters https://github.com/fastify/fastify-oauth2/releases/tag/v7.2.0 https://hackerone.com/reports/2020418 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29020 – Cross site request forgery token fixation in fastify-passport
https://notcve.org/view.php?id=CVE-2023-29020
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastify/passport` in affected versions, can be bypassed by network and same-site attackers. `fastify/csrf-protection` implements the synchronizer token pattern (using plugins `@fastify/session` and `@fastify/secure-session`) by storing a random value used for CSRF token generation in the `_csrf` attribute of a user's session. The `@fastify/passport` library does not clear the session object upon authentication, preserving the `_csrf` attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. • https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern https://github.com/fastify/fastify-passport/commit/07c90feab9cba0dd4779e47cfb0717a7e2f01d3d https://github.com/fastify/fastify-passport/security/advisories/GHSA-2ccf-ffrj-m4qw https://owasp.org/www-community/attacks/csrf • CWE-352: Cross-Site Request Forgery (CSRF) CWE-384: Session Fixation •