Описание
xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.
A potential Cross-site request forgery (CSRF) flaw was found in xdg-utils. The xdg-open function in xdg-utils through version 1.2.1 can send requests containing SameSite=Strict cookies, facilitating a Cross-site request forgery (CSRF) attack vector.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | flatpak-xdg-utils | Fix deferred | ||
| Red Hat Enterprise Linux 10 | xdg-utils | Fix deferred | ||
| Red Hat Enterprise Linux 6 | xdg-utils | Out of support scope | ||
| Red Hat Enterprise Linux 7 | xdg-utils | Fix deferred | ||
| Red Hat Enterprise Linux 8 | flatpak-xdg-utils | Fix deferred | ||
| Red Hat Enterprise Linux 8 | xdg-utils | Fix deferred | ||
| Red Hat Enterprise Linux 9 | flatpak-xdg-utils | Fix deferred | ||
| Red Hat Enterprise Linux 9 | xdg-utils | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
2.7 Low
CVSS3
Связанные уязвимости
xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.
xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.
xdg-open in xdg-utils through 1.2.1 can send requests containing SameS ...
xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.
EPSS
2.7 Low
CVSS3