blob: 177e03fd192342e0934dfa50f1b2654fe50d29ba [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2023-2115",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-45128",
"GHSA-94w9-97p3-p368"
],
"summary": "CSRF token reuse vulnerability in github.com/gofiber/fiber/v2",
"details": "A cross-site request forgery vulnerability in this package can allow an attacker to inject arbitrary values and forge malicious requests on behalf of a user. The attacker may inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application.\n\nThe vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. For 'safe' methods, the token is extracted from the cookie and saved to storage without further validation or sanitization. In addition, the CSRF token is validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.",
"affected": [
{
"package": {
"name": "github.com/gofiber/fiber/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.50.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/gofiber/fiber/v2/middleware/csrf",
"symbols": [
"CsrfFromCookie",
"CsrfFromForm",
"CsrfFromHeader",
"CsrfFromParam",
"CsrfFromQuery",
"New",
"configDefault",
"manager.getRaw",
"manager.setRaw",
"newManager"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
},
{
"type": "FIX",
"url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
},
{
"type": "FIX",
"url": "https://github.com/gofiber/fiber/commit/b50d91d58ecdff2a330bf07950244b6c4caf65b1"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-2115",
"review_status": "REVIEWED"
}
}