CVE-2023-45128 - OpenCVE

Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Gofiber	Fiber

Configuration 1 [-]

cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*

References

Link	Resource
https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a	Patch
https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368	Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-16T20:45:07.068Z

Updated: 2023-10-16T20:46:19.342Z

Reserved: 2023-10-04T16:02:46.327Z

Link: CVE-2023-45128

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-16T21:15:11.137

Modified: 2023-10-23T15:26:25.743

Link: CVE-2023-45128

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-45128", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-04T16:02:46.327Z", "datePublished": "2023-10-16T20:45:07.068Z", "dateUpdated": "2023-10-16T20:46:19.342Z"}, "containers": {"cna": {"title": "CSRF Token Reuse Vulnerability in fiber", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-565", "lang": "en", "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-807", "lang": "en", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"}, {"name": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a", "tags": ["x_refsource_MISC"], "url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"}], "affected": [{"vendor": "gofiber", "product": "fiber", "versions": [{"version": "< 2.50.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-16T20:46:19.342Z"}, "descriptions": [{"lang": "en", "value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-94w9-97p3-p368", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*", "matchCriteriaId": "D4CF7CB2-A259-42A1-A42F-26170DCC266D", "versionEndExcluding": "2.50.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Fiber es un framework web inspirado en Express escrito en Go. Se ha identificado una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la aplicaci\u00f3n, que permite a un atacante inyectar valores arbitrarios y falsificar solicitudes maliciosas en nombre de un usuario. Esta vulnerabilidad puede permitir a un atacante inyectar valores arbitrarios sin ninguna autenticaci\u00f3n o realizar diversas acciones maliciosas en nombre de un usuario autenticado, comprometiendo potencialmente la seguridad y la integridad de la aplicaci\u00f3n. La vulnerabilidad se debe a una validaci\u00f3n y aplicaci\u00f3n inadecuadas de los tokens CSRF dentro de la aplicaci\u00f3n. Este problema se solucion\u00f3 en la versi\u00f3n 2.50.0 y se recomienda a los usuarios que actualicen. Los usuarios deben tomar medidas de seguridad adicionales como captchas o autenticaci\u00f3n de dos factores (2FA) y configurar cookies de sesi\u00f3n con SameSite=Lax o SameSite=Secure, y los atributos Secure y HttpOnly como medidas de defensa en profundidad. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-45128", "lastModified": "2023-10-23T15:26:25.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-16T21:15:11.137", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-565"}, {"lang": "en", "value": "CWE-807"}], "source": "security-advisories@github.com", "type": "Primary"}]}