blob: 2e165b860d8e7b6895c4ccdcb3b3dd9ea087c2ac [file] [log] [blame]
id: GO-2023-2116
modules:
- module: github.com/gofiber/fiber/v2
versions:
- fixed: 2.50.0
vulnerable_at: 2.49.2
packages:
- package: github.com/gofiber/fiber/v2/middleware/csrf
symbols:
- configDefault
- New
- CsrfFromParam
- CsrfFromForm
- CsrfFromCookie
- CsrfFromHeader
- CsrfFromQuery
- newManager
- manager.getRaw
- manager.setRaw
summary: CSRF token validation vulnerability in github.com/gofiber/fiber/v2
description: |-
A cross-site request forgery vulnerability can allow an attacker to obtain
tokens and forge malicious requests on behalf of a user. This can lead to
unauthorized actions being taken on the user's behalf, potentially compromising
the security and integrity of the application.
The vulnerability is caused by improper validation and enforcement of CSRF
tokens within the application. The CSRF token is validated against tokens in
storage but was is not tied to the original requestor that generated it,
allowing for token reuse.
cves:
- CVE-2023-45141
ghsas:
- GHSA-mv73-f69x-444p
references:
- advisory: https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p
- fix: https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a
- fix: https://github.com/gofiber/fiber/commit/b50d91d58ecdff2a330bf07950244b6c4caf65b1
notes:
- There is a closely related vulnerability (GO-2023-2115), and it is not clear which fix applies to which vulnerability, so I have marked both fixes as applying to both vulnerabilities.
review_status: REVIEWED