1. Home
  2. Vulnerabilities
  3. CVE-2020-35217

CVE-2020-35217

CVSS v3.1 8.8 (High)
88% Progress
CVSS v2.0 6.8 (Medium)
68% Progress
EPSS 0.07 % (31th)
0.07% Progress
Affected Products 1
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Graph Web & Social Timeline

Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack.

Weaknesses
CWE-352
Cross-Site Request Forgery (CSRF)
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2021-01-20 13:15:12
(3 years ago)
Updated Date
2021-02-02 15:50:45
(3 years ago)

Affected Products

Eclipse

Configuration #1

    CPE23 From Up To
  Eclipse Vert.x-web 4.0.0 Milestone1 cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone1
  Eclipse Vert.x-web 4.0.0 Milestone2 cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone2
  Eclipse Vert.x-web 4.0.0 Milestone3 cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone3
  Eclipse Vert.x-web 4.0.0 Milestone4 cpe:2.3:a:eclipse:vert.x-web:4.0.0:milestone4