GHSA-j3jp-gvr5-7hwq

Опубликовано: 30 июл. 2019

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 8.8

Описание

python-engineio vulnerable to Cross-Site Request Forgery (CSRF)

WebSocket cross-origin vulnerability

Impact

This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.

Patches

python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks.

Workarounds

Do not use cookies for client authentication, or else add a CSRF token to the connection URL.

References

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html

For more information

If you have any questions or comments about this advisory:

Open an issue in python-engineio

Ссылки

Пакеты

Наименование

python-engineio

pip

Затронутые версииВерсия исправления

<= 3.8.2

3.9.0

EPSS

Процентиль: 34%

0.00141

Низкий

8.7 High

CVSS4

8.8 High

CVSS3

CVE ID

CVE-2019-13611

Дефекты

CWE-352

Связанные уязвимости

CVE-2019-13611

CVSS3: 8.8

ubuntu

больше 6 лет назад

An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.

CVE-2019-13611

CVSS3: 8.8

nvd

больше 6 лет назад

CVE-2019-13611

CVSS3: 8.8

debian

больше 6 лет назад

An issue was discovered in python-engineio through 3.8.2. There is a C ...

BDU:2020-01383

CVSS3: 8.8

fstec

больше 6 лет назад

Уязвимость протокола WebSocket веб-сервера Engine.IO, связанная с подделкой межсайтовых закпросов, позволяющая нарушителю выполнять произвольные действия в уязвимой системе

EPSS

Процентиль: 34%

0.00141

Низкий

8.7 High

CVSS4

8.8 High

CVSS3

CVE ID

CVE-2019-13611

Дефекты

CWE-352