CVE-2020-28452

Name of the Vulnerable Software and Affected Versions: com.softwaremill.akka-http-session:core 2.12 versions 0 through 0.6.1 com.softwaremill.akka-http-session:core 2.11 versions 0 and later com.softwaremill.akka-http-session:core 2.13 versions 0 through 0.6.1

Description: The issue allows CSRF protection to be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value. This is because the check in randomTokenCsrfProtection only verifies that the two values are equal and non-empty.

Recommendations: For com.softwaremill.akka-http-session:core 2.12 versions 0 through 0.6.1, update to version 0.6.1 or later to resolve the issue. For com.softwaremill.akka-http-session:core 2.11, consider disabling the randomTokenCsrfProtection function until a patch is available. For com.softwaremill.akka-http-session:core 2.13 versions 0 through 0.6.1, update to version 0.6.1 or later to resolve the issue.