Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-45857) & Proxy Authentication Credentials Leak (GHSA-wf5p-g6vw-rhxx)

Writer KUR Program 버그캠프 (Bugcamp)

WEB Out of scope None No Reward Created: Oct 18, 2024 (2 months ago) Last Updated: Oct 22, 2024 (2 months ago)

Weakness

The Axios library, version 0.21.4

Description

Vulnerability Description:

The Axios library, version 0.21.4, is vulnerable to two medium-severity vulnerabilities:

Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-45857): Axios is vulnerable to CSRF attacks, which could allow an attacker to perform unauthorized actions on behalf of the user.
Proxy Authentication Credentials Leak (GHSA-wf5p-g6vw-rhxx): Axios depends on the follow-redirects library, which has a vulnerability that could leak proxy authentication credentials.

Impact:

CSRF Vulnerability: An attacker could use this vulnerability to perform unauthorized actions on behalf of the user, such as changing their account settings or making unauthorized requests.
Proxy Authentication Credentials Leak: An attacker could use this vulnerability to obtain the proxy authentication credentials, which could be used to access sensitive information or systems.

Remediation:

Update Axios to a secure version: Update Axios to version 1.6.8 or later, which fixes the CSRF vulnerability.
Update follow-redirects to a secure version: Update the follow-redirects library to version 1.15.6 or later, which fixes the proxy authentication credentials leak vulnerability.
Implement CSRF protection: Implement CSRF protection measures, such as using the csrf middleware in your application.
Use a secure proxy configuration: Use a secure proxy configuration that does not leak authentication credentials.

Steps to Reproduce:

Create a test environment: Create a test environment with Axios version 0.21.4 and a vulnerable version of follow-redirects.
Send a request with a malicious redirect: Send a request to the test environment with a malicious redirect that triggers the CSRF vulnerability.
Verify the response: Verify that the response contains the proxy authentication credentials.

Attachment

Timeline

KUR submitted ticket. October 18, 2024 (2 months ago)
Dona MANAGER changed the status from 'Submitted' to 'In Progress'. October 21, 2024 (2 months ago)
Dona MANAGER posted a comment. October 22, 2024 (2 months ago)

Hello. KUR.
I’m Donna.

The ticket you reported is a report that only suggests the possibility of exploitation.
Therefore, since it is not a vulnerability, we will terminate it.

Dona MANAGER posted a comment. October 22, 2024 (2 months ago)

To add some explanation:
This is not a BugCamp vulnerability specified in asset scope. So it ends up being “out of bounds”.
Thank you.

Dona MANAGER changed the severity from 'Medium' to 'None'. October 22, 2024 (2 months ago)
Dona MANAGER changed the status from 'In Progress' to 'Out of scope'. October 22, 2024 (2 months ago)
Dona MANAGER changed the disclosure from 'Closed' to 'Disclosed (Full)'. October 22, 2024 (2 months ago)