Willem Vermeer

Name of the Vulnerable Software and Affected Versions: com.softwaremill.akka-http-session:core 2.12 versions 0 through 0.6.1 com.softwaremill.akka-http-session:core 2.11 versions 0 and later com.softwaremill.akka-http-session:core 2.13 versions 0 through 0.6.1 Description: The issue allows CSRF protection to be bypassed by forging a request that contains the same value for both the `X-XSRF-TOKEN` header and the `XSRF-TOKEN` cookie value. This is because the check in `randomTokenCsrfProtection` only verifies that the two values are equal and non-empty. Recommendations: For com.softwaremill.akka-http-session:core 2.12 versions 0 through 0.6.1, update to version 0.6.1 or later to resolve the issue. For com.softwaremill.akka-http-session:core 2.11, consider disabling the `randomTokenCsrfProtection` function until a patch is available. For com.softwaremill.akka-http-session:core 2.13 versions 0 through 0.6.1, update to version 0.6.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** com.softwaremill.akka-http-session:core 2.13 versions prior to 0.5.11 com.softwaremill.akka-http-session:core 2.12 versions prior to 0.5.11 com.softwaremill.akka-http-session:core 2.11 versions prior to 0.5.11 **Description** The issue affects older versions of the com.softwaremill.akka-http-session package, where endpoints protected by `randomTokenCsrfProtection` could be bypassed with an empty `X-XSRF-TOKEN` header and an empty `XSRF-TOKEN` cookie. **Recommendations** For com.softwaremill.akka-http-session:core 2.13 versions prior to 0.5.11, update to version 0.5.11 or later. For com.softwaremill.akka-http-session:core 2.12 versions prior to 0.5.11, update to version 0.5.11 or later. For com.softwaremill.akka-http-session:core 2.11 versions prior to 0.5.11, update to version 0.5.11 or later. As a temporary workaround, consider disabling the `randomTokenCsrfProtection` feature until a patch is available.