Описание
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a userInfo when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.
Ссылки
- Third Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.1.0 (исключая)
cpe:2.3:a:fastify:fastify-csrf:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 40%
0.00187
Низкий
6.5 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-565
CWE-352
Связанные уязвимости
CVSS3: 6.5
github
больше 4 лет назад
Lack of protection against cookie tossing attacks in fastify-csrf
EPSS
Процентиль: 40%
0.00187
Низкий
6.5 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-565
CWE-352