CVE-2020-35217

Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/vert-x3/vertx-web/pull/1613	Patch Third Party Advisory
https://github.com/vert-x3/vertx-web/pull/1613	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone1::::::
	cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone2::::::
	cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone3::::::
	cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone4::::::

History

21 Nov 2024, 05:27

Type	Values Removed	Values Added
References	~~() https://github.com/vert-x3/vertx-web/pull/1613 - Patch, Third Party Advisory~~	() https://github.com/vert-x3/vertx-web/pull/1613 - Patch, Third Party Advisory

Information

Published : 2021-01-20 13:15

Updated : 2024-11-21 05:27

NVD link : CVE-2020-35217

Mitre link : CVE-2020-35217

CVE.ORG link : CVE-2020-35217

JSON object : View

Products Affected

eclipse

vert.x-web

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2020-35217", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-01-20T13:15:12.440", "references": [{"url": "https://github.com/vert-x3/vertx-web/pull/1613", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/vert-x3/vertx-web/pull/1613", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack."}, {"lang": "es", "value": "El framework Vert.x-Web versi\u00f3n v4.0 milestone 1-4, no lleva a cabo una comprobaci\u00f3n de CSRF correcta. En lugar de comparar el token CSRF en la petici\u00f3n con el token CSRF en la cookie, compara el token CSRF en la cookie con un token CSRF que est\u00e1 almacenado en la sesi\u00f3n. Un atacante ni siquiera necesita proporcionar un token CSRF en la petici\u00f3n porque el framework no lo considera. Las cookies son enviadas autom\u00e1ticamente por el navegador y la comprobaci\u00f3n siempre se realizar\u00e1 correctamente, conllevando a un ataque de tipo CSRF con \u00e9xito"}], "lastModified": "2024-11-21T05:27:02.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0F457CC-5438-41C2-A310-B03555BD980D"}, {"criteria": "cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13DB2E1F-461B-4795-81F1-0BD0BB6D9A4F"}, {"criteria": "cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "765F70D9-FAE6-4037-80CB-65A88DC42277"}, {"criteria": "cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51B1F031-23B1-4F64-B189-6EEED4C13C32"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}