Cross-site Request Forgery (CSRF) Affecting io.vertx:vertx-web Open this link in a new tab package, versions [4.0.0-milestone1,4.0.0-milestone5)


0.0
high
  • Attack Complexity

    Low

  • User Interaction

    Required

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-IOVERTX-1062833

  • published

    20 Jan 2021

  • disclosed

    20 Jan 2021

  • credit

    Xhelal Likaj

How to fix?

Upgrade io.vertx:vertx-web to version 4.0.0-milestone5 or higher.

Overview

io.vertx:vertx-web is a HTTP web applications for Vert.x.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). Vert.x-Web framework does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack.

References