CPANSA-Plack-Middleware-XSRFBlock-20230714-01: Plack-Middleware-XSRFBlock vulnerability
Publisher | giterlizzi | Document category | csaf_security_advisory |
---|---|---|---|
Initial release date | 2023-07-14T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
Current release date | 2023-07-14T00:00:00 | Build Date | |
Current version | 1 | Status | final |
CVSS v3.1 Base Score | 8.8 | Severity | |
Original language | Language | en | |
Also referred to |
Vulnerability Description
When not using signed cookies, it was possible to bypass XSRFBlock by POSTing an empty form value and an empty cookie
Vulnerabilities
CVE-2023-52431
Vulnerability DescriptionThe Plack::Middleware::XSRFBlock package before 0.0.19 for Perl allows attackers to bypass a CSRF protection mechanism via an empty form value and an empty cookie (if signed cookies are disabled).
Weakness | CWE-352 : Cross-Site Request Forgery (CSRF) |
---|
Product status
Known affected
Product | Score | ||||||||
---|---|---|---|---|---|---|---|---|---|
Plack-Middleware-XSRFBlock less than 0.0.19 |
|
Fixed
- Plack-Middleware-XSRFBlock greater than or equal 0.0.19
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Plack-Middleware-XSRFBlock-20230714-01 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2023/cpansa-plack-middleware-xsrfblock-20230714-01.json - https://metacpan.org/dist/Plack-Middleware-XSRFBlock/changes external
https://metacpan.org/dist/Plack-Middleware-XSRFBlock/changes - https://metacpan.org/release/DAKKAR/Plack-Middleware-XSRFBlock-0.0.19/source/Changes external
https://metacpan.org/release/DAKKAR/Plack-Middleware-XSRFBlock-0.0.19/source/Changes - https://nvd.nist.gov/vuln/detail/CVE-2023-52431 external
https://nvd.nist.gov/vuln/detail/CVE-2023-52431 - CVE-2023-52431 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2023-52431
Revision history
Version | Date of the revision | Summary of the revision |
---|---|---|
1 | Fri Jul 14 00:00:00 2023 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/