Axios Cross-Site Request Forgery Vulnerability #44

New Issue

Closed

opened 2023-11-10 04:43:42 +00:00 by argoyle · 0 comments

argoyle commented 2023-11-10 04:43:42 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for axios in path: /, manifest_file: /package.json but was unable to update it! ⚠️

• https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

Package	Severity	Affected versions	Patched versions	IDs
axios (NPM)	MODERATE	>= 0.8.1, < 1.6.0	1.6.0	GHSA-wf5p-g6vw-rhxx,CVE-2023-45857

Description

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-45857
• https://github.com/axios/axios/issues/6006
• https://github.com/axios/axios/issues/6022
• https://github.com/axios/axios/pull/6028
• https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0
• https://github.com/axios/axios/releases/tag/v1.6.0
• https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
• https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

⚠️ `dependabot-gitlab` has detected security vulnerability for `axios` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-wf5p-g6vw-rhxx | Package | Severity | Affected versions | Patched versions | IDs | |-------------|----------|-------------------|------------------|----------------------------------------| | axios (NPM) | MODERATE | >= 0.8.1, < 1.6.0 | 1.6.0 | `GHSA-wf5p-g6vw-rhxx`,`CVE-2023-45857` | # Description An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. # References * https://nvd.nist.gov/vuln/detail/CVE-2023-45857 * https://github.com/axios/axios/issues/6006 * https://github.com/axios/axios/issues/6022 * https://github.com/axios/axios/pull/6028 * https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0 * https://github.com/axios/axios/releases/tag/v1.6.0 * https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 * https://github.com/advisories/GHSA-wf5p-g6vw-rhxx

argoyle (Migrated from gitlab.com) closed this issue 2023-11-16 04:43:01 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/vue-router-5.x

renovate-group-stylelint

fix/remove-digest-pinning

remove-gitlab-ci

remove-aws-iam-auth

remove-kubeconfig

kubeconfig-secret

ci-migration

No results found.

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

javascript

security

Pull requests that address a security vulnerability

severity:critical

severity:high

severity:low

severity:moderate

No Label security severity:moderate

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#44