CVE-2021-29624 – Lack of protection against cookie tossing attacks in fastify-csrf
https://notcve.org/view.php?id=CVE-2021-29624
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. • https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html https://github.com/fastify/csrf/pull/2 https://github.com/fastify/fastify-csrf/pull/51 https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0 https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8 https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf • CWE-352: Cross-Site Request Forgery (CSRF) CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVE-2020-28482 – Cross-site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2020-28482
This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter Esto afecta al paquete fastify-csrf versiones anteriores a 3.0.0. 1. La cookie generada usó valores predeterminados no seguros y no tenía el flag httpOnly en: cookieOpts: { path: '/', sameSite: true } 2. • https://github.com/fastify/fastify-csrf/pull/26 https://snyk.io/vuln/SNYK-JS-FASTIFYCSRF-1062044 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •