Do your applications use this vulnerable package?
Test your applications
Overview
crumb
is CSRF crumb generation and validation plugin.
Affected versions of the package are vulnerable to Authentication Bypass. crumb
does not validate the hostname while comparing a request origin against the whitelist, but rather compare http protocol alone. This opens a window for attackers to gain information by Man in the Middle (MitM) attacks.
Remediation
Upgrade crumb
to version 4.0.2 or higher.
References
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Nicolas Jessel
- CWE
- CWE-592
- Snyk ID
- npm:crumb:20150213
- Disclosed
- 12 Feb, 2015
- Published
- 21 Jun, 2017