Alert IDs:
- 3224634a-5ee8-4404-b800-b3a3a3759d64
- 7ea44360-9165-4246-851a-07c32e2827dd
Vulnerabilities in passport
Release: March19 release 2
Total Vulnerabilities: 2
Severity: MEDIUM (Score: 6.5)
Description:
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers. fastify/csrf-protection implements the synchronizer token pattern (using plugins @fastify/session and @fastify/secure-session) by storing a random value used for CSRF token generation in the _csrf attribute of a user's session. The @fastify/passport library does not clear the session object upon authentication, preserving the _csrf attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of @fastify/passport include the configuration options: clearSessionOnLogin (default: true) and clearSessionIgnoreFields (default: ['passport', 'session']) to clear all the session attributes by default, preserving those explicitly defined in clearSessionIgnoreFields.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-29020
Alert ID: 3224634a-5ee8-4404-b800-b3a3a3759d64
Severity: HIGH (Score: 8.1)
Description:
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using @fastify/passport in affected versions for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the @fastify/passport library for user authentication. The login and user validation are performed by the authenticate function. When executing this function, the sessionId is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid sessionId cookie in the victim's browser and waiting for the victim to log in on the website. As a solution, newer versions of @fastify/passport regenerate sessionId upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-29019
Alert ID: 7ea44360-9165-4246-851a-07c32e2827dd
Alert IDs:
Vulnerabilities in passport
Release: March19 release 2
Total Vulnerabilities: 2
1. CVE-2023-29020
Severity: MEDIUM (Score: 6.5)
Description:
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the
@fastify/csrf-protectionlibrary, when combined with@fastify/passportin affected versions, can be bypassed by network and same-site attackers.fastify/csrf-protectionimplements the synchronizer token pattern (using plugins@fastify/sessionand@fastify/secure-session) by storing a random value used for CSRF token generation in the_csrfattribute of a user's session. The@fastify/passportlibrary does not clear the session object upon authentication, preserving the_csrfattribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of@fastify/passportinclude the configuration options:clearSessionOnLogin (default: true)andclearSessionIgnoreFields (default: ['passport', 'session'])to clear all the session attributes by default, preserving those explicitly defined inclearSessionIgnoreFields.Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-29020
Alert ID: 3224634a-5ee8-4404-b800-b3a3a3759d64
2. CVE-2023-29019
Severity: HIGH (Score: 8.1)
Description:
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using
@fastify/passportin affected versions for user authentication, in combination with@fastify/sessionas the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. fastify applications rely on the@fastify/passportlibrary for user authentication. The login and user validation are performed by theauthenticatefunction. When executing this function, thesessionIdis preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a validsessionIdcookie in the victim's browser and waiting for the victim to log in on the website. As a solution, newer versions of@fastify/passportregeneratesessionIdupon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. Users are advised to upgrade. There are no known workarounds for this vulnerability.Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-29019
Alert ID: 7ea44360-9165-4246-851a-07c32e2827dd