CVE-2020-35217

Name of the Vulnerable Software and Affected Versions: Vert.x-Web framework versions 4.0 milestone 1 through 4.0 milestone 4

Description: The issue arises from incorrect CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, the framework compares the CSRF token in the cookie against a CSRF token stored in the session. This means an attacker does not need to provide a CSRF token in the request, as the verification will always succeed due to the automatic sending of cookies by the browser, leading to a successful CSRF attack.

Recommendations: For versions 4.0 milestone 1 through 4.0 milestone 4, consider disabling the CSRF verification mechanism until a patch is available, or apply a custom fix to correctly compare the CSRF token in the request with the one in the cookie. Restrict access to sensitive operations that rely on CSRF protection to minimize the risk of exploitation.