High severityNVD Advisory· Published Jan 20, 2021· Updated Aug 4, 2024
CVE-2020-35217
CVE-2020-35217
Description
Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.vertx:vertx-webMaven | >= 4.0.0-milestone1, < 4.0.0-milestone5 | 4.0.0-milestone5 |
io.vertx:vertx-webMaven | >= 4.0.0-milestone2, < 4.0.0-milestone5 | 4.0.0-milestone5 |
io.vertx:vertx-webMaven | >= 4.0.0-milestone3, < 4.0.0-milestone5 | 4.0.0-milestone5 |
io.vertx:vertx-webMaven | >= 4.0.0-milestone4, < 4.0.0-milestone5 | 4.0.0-milestone5 |
Affected products
2- Vert.x-Web framework/Vert.x-Web frameworkdescription
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-9q69-g5gc-9fgfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35217ghsaADVISORY
- github.com/vert-x3/vertx-web/pull/1613ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.