Unrated severityNVD Advisory· Published Apr 8, 2024· Updated Aug 2, 2024

Saleor CSRF bypass in refreshToken mutation

CVE-2024-31205

Description

Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in refreshToken mutation, while the token persists in JWT_REFRESH_TOKEN_COOKIE_NAME cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token. This will fix the issue, but be aware, that it returns JWT_MISSING_TOKEN instead of JWT_INVALID_TOKEN.

Affected products

Saleor/Saleorv5
Range: >= 3.10.0, < 3.14.64

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/saleor/saleor/commit/36699c6f5c99590d24f46e3d5c5b1a3c2fd072e7mitrex_refsource_MISC
github.com/saleor/saleor/security/advisories/GHSA-ff69-fwjf-3c9wmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000