Alert IDs:
- 5ab53d78-9a77-4b54-ba51-8122193a586c
- f3fa8044-9246-4d84-85b4-68aa827175b2
Vulnerabilities in passport
Release: March19
Total Vulnerabilities: 2
Severity: HIGH (Score: 8.1)
Description:
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using @fastify/passport in affected versions for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the @fastify/passport library for user authentication. The login and user validation are performed by the authenticate function. When executing this function, the sessionId is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid sessionId cookie in the victim's browser and waiting for the victim to log in on the website. As a solution, newer versions of @fastify/passport regenerate sessionId upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-29019
Alert ID: 5ab53d78-9a77-4b54-ba51-8122193a586c
Severity: MEDIUM (Score: 6.5)
Description:
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers. fastify/csrf-protection implements the synchronizer token pattern (using plugins @fastify/session and @fastify/secure-session) by storing a random value used for CSRF token generation in the _csrf attribute of a user's session. The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of @fastify/passport include the configuration options: clearSessionOnLogin (default: true) and clearSessionIgnoreFields (default: ['passport', 'session']) to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-29020
Alert ID: f3fa8044-9246-4d84-85b4-68aa827175b2
Alert IDs:
Vulnerabilities in passport
Release: March19
Total Vulnerabilities: 2
1. CVE-2023-29019
Severity: HIGH (Score: 8.1)
Description:
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using
@fastify/passportin affected versions for user authentication, in combination with@fastify/sessionas the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the@fastify/passportlibrary for user authentication. The login and user validation are performed by theauthenticatefunction. When executing this function, thesessionIdis preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a validsessionIdcookie in the victim's browser and waiting for the victim to log in on the website. As a solution, newer versions of@fastify/passportregeneratesessionIdupon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-29019
Alert ID: 5ab53d78-9a77-4b54-ba51-8122193a586c
2. CVE-2023-29020
Severity: MEDIUM (Score: 6.5)
Description:
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the
@fastify/csrf-protectionlibrary, when combined with@fastify/passportin affected versions, can be bypassed by network and same-site attackers.fastify/csrf-protectionimplements the synchronizer token pattern (using plugins@fastify/sessionand@fastify/secure-session) by storing a random value used for CSRF token generation in the_csrfattribute of a user's session. The@fastify/passportlibrary does not clear the session object upon authentication, preserving the_csrfattribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of@fastify/passportinclude the configuration options:clearSessionOnLogin (default: true)andclearSessionIgnoreFields (default: ['passport', 'session'])to clear all the session attributes by default, preserving those explicitly defined inclearSessionIgnoreFields.Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-29020
Alert ID: f3fa8044-9246-4d84-85b4-68aa827175b2