PT-2020-19789 · Softwaremill · Akka-Http-Session

Willem Vermeer

Published

2020-11-27

Updated

2022-02-09

CVE-2020-7780

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions com.softwaremill.akka-http-session:core 2.13 versions prior to 0.5.11 com.softwaremill.akka-http-session:core 2.12 versions prior to 0.5.11 com.softwaremill.akka-http-session:core 2.11 versions prior to 0.5.11

Description The issue affects older versions of the com.softwaremill.akka-http-session package, where endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.

Recommendations For com.softwaremill.akka-http-session:core 2.13 versions prior to 0.5.11, update to version 0.5.11 or later. For com.softwaremill.akka-http-session:core 2.12 versions prior to 0.5.11, update to version 0.5.11 or later. For com.softwaremill.akka-http-session:core 2.11 versions prior to 0.5.11, update to version 0.5.11 or later. As a temporary workaround, consider disabling the randomTokenCsrfProtection feature until a patch is available.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2020-7780

GHSA-Q42Q-523G-3FWV

SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1045352

SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046654

SNYK-JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655

Affected Products

Akka-Http-Session

PT-2020-19789 · Softwaremill · Akka-Http-Session

CVE-2020-7780

Weakness Enumeration

Related Identifiers

Affected Products

References · 13