CVE-2024-31205

Name of the Vulnerable Software and Affected Versions Saleor versions 3.10.0 through 3.14.63 Saleor versions 3.15.0 through 3.15.38 Saleor versions 3.16.0 through 3.16.38 Saleor versions 3.17.0 through 3.17.34 Saleor versions 3.18.0 through 3.18.30 Saleor versions 3.19.0 through 3.19.18

Description Saleor is an e-commerce platform. An attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with an empty string. When a user provides an empty string in refreshToken mutation, while the token persists in JWT REFRESH TOKEN COOKIE NAME cookie, the application omits validation against CSRF token and returns a valid access token.

Recommendations For versions 3.10.0 through 3.14.63, update to version 3.14.64 or later. For versions 3.15.0 through 3.15.38, update to version 3.15.39 or later. For versions 3.16.0 through 3.16.38, update to version 3.16.39 or later. For versions 3.17.0 through 3.17.34, update to version 3.17.35 or later. For versions 3.18.0 through 3.18.30, update to version 3.18.31 or later. For versions 3.19.0 through 3.19.18, update to version 3.19.19 or later. As a temporary workaround, consider replacing saleor.graphql.account.mutations.authentication.refresh token.py.get refresh token to fix the issue, but be aware that it returns JWT MISSING TOKEN instead of JWT INVALID TOKEN.