CVE-2020-7780 - OpenCVE

This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Softwaremill	Akka-http-session

Configuration 1 [-]

cpe:2.3:a:softwaremill:akka-http-session:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41	Patch Third Party Advisory
https://github.com/softwaremill/akka-http-session/issues/74	Third Party Advisory
https://github.com/softwaremill/akka-http-session/issues/77	Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352	Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654	Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2020-11-27T00:00:00

Updated: 2020-11-27T16:40:10

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7780

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-27T17:15:12.093

Modified: 2020-12-04T15:08:17.427

Link: CVE-2020-7780

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "com.softwaremill.akka-http-session:core_2.13", "vendor": "n/a", "versions": [{"lessThan": "0.5.11", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "com.softwaremill.akka-http-session:core_2.12", "vendor": "n/a", "versions": [{"lessThan": "0.5.11", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "com.softwaremill.akka-http-session:core_2.11", "vendor": "n/a", "versions": [{"lessThan": "0.5.11", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Willem Vermeer"}], "datePublic": "2020-11-27T00:00:00", "descriptions": [{"lang": "en", "value": "This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Cross-site Request Forgery (CSRF)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-27T16:40:10", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/softwaremill/akka-http-session/issues/77"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/softwaremill/akka-http-session/issues/74"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41"}], "title": "Cross-site Request Forgery (CSRF)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-11-27T16:35:14.740953Z", "ID": "CVE-2020-7780", "STATE": "PUBLIC", "TITLE": "Cross-site Request Forgery (CSRF)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "com.softwaremill.akka-http-session:core_2.13", "version": {"version_data": [{"version_affected": "<", "version_value": "0.5.11"}]}}]}, "vendor_name": "n/a"}, {"product": {"product_data": [{"product_name": "com.softwaremill.akka-http-session:core_2.12", "version": {"version_data": [{"version_affected": "<", "version_value": "0.5.11"}]}}]}, "vendor_name": "n/a"}, {"product": {"product_data": [{"product_name": "com.softwaremill.akka-http-session:core_2.11", "version": {"version_data": [{"version_affected": "<", "version_value": "0.5.11"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Willem Vermeer"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655"}, {"name": "https://github.com/softwaremill/akka-http-session/issues/77", "refsource": "MISC", "url": "https://github.com/softwaremill/akka-http-session/issues/77"}, {"name": "https://github.com/softwaremill/akka-http-session/issues/74", "refsource": "MISC", "url": "https://github.com/softwaremill/akka-http-session/issues/74"}, {"name": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41", "refsource": "MISC", "url": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7780", "datePublished": "2020-11-27T00:00:00", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2020-11-27T16:40:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:softwaremill:akka-http-session:*:*:*:*:*:*:*:*", "matchCriteriaId": "038B6CC8-C737-443E-9B33-81657D699BA8", "versionEndIncluding": "0.5.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie."}, {"lang": "es", "value": "Esto afecta al paquete com.softwaremill.akka-http-session:core_2.13 versiones anteriores a 0.5.11; el paquete com.softwaremill.akka-http-session:core_2.12 versiones anteriores a 0.5.11; el paquete com.softwaremill.akka-http-session:core_2.11 versiones anteriores a 0.5.11. Para versiones anteriores, unos endpoint protegidos por la funci\u00f3n randomTokenCsrfProtection podr\u00edan omitirse con un encabezado X-XSRF-TOKEN vac\u00edo y una cookie XSRF-TOKEN vac\u00eda"}], "id": "CVE-2020-7780", "lastModified": "2020-12-04T15:08:17.427", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2020-11-27T17:15:12.093", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/softwaremill/akka-http-session/commit/57f11663eecb84be03383d164f655b9c5f953b41"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/softwaremill/akka-http-session/issues/74"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/softwaremill/akka-http-session/issues/77"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}