PT-2020-16378 · Open Zaak · Open Zaak

Sergei-Maertens

·

Published

2020-12-18

·

Updated

2020-12-22

·

CVE-2020-26251

CVSS v3.1

4.7

Medium

VectorAV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Open Zaak versions prior to 1.3.3
Description Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. The Cross-Origin-Resource-Sharing policy in Open Zaak is currently wide open, allowing every client to perform AJAX calls to known Open Zaak installations without being blocked by the browser. This was intended to only apply to development machines running on localhost/127.0.0.1. However, the vulnerability does not seem exploitable due to several reasons:
  • The session cookie has a Same-Site: Lax policy, preventing it from being sent along in Cross-Origin requests.
  • All pages that give access to production data are login-protected.
  • Access-Control-Allow-Credentials is set to false.
  • CSRF checks probably block the remote origin, since they are not explicitly added to the trusted allowlist.
Recommendations For Open Zaak versions prior to 1.3.3, update to version 1.3.3 or later, which disables CORS by default. If necessary, CORS can be opted-in through environment variables in version 1.3.3 and later.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

CVE-2020-26251
GHSA-CHHR-GXRG-64X7

Affected Products

Open Zaak