GHSA-55mm-5399-7r63

Suggest an improvement
Source
https://github.com/advisories/GHSA-55mm-5399-7r63
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-55mm-5399-7r63/GHSA-55mm-5399-7r63.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-55mm-5399-7r63
Aliases
Published
2020-08-05T14:52:54Z
Modified
2023-11-08T04:02:30.222712Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N CVSS Calculator
Summary
Reliance on Cookies without validation in OctoberCMS
Details

Impact

Previously encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding.

Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them.

Patches

Issue has been patched in Build 468 (v1.0.468).

NOTE: If you are using the cookie session driver, all of your session data will be invalidated. All other session drivers should smoothly upgrade to the changes (although the backend authentication persist cookie will also be invalidated requiring users to login again once their current session expires).

Workarounds

Apply https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c to your installation manually if unable to upgrade to Build 468.

References

  • https://blog.laravel.com/laravel-cookie-security-releases
  • https://github.com/laravel/framework/compare/4c7d118181d6c7f1f883643702df807ced016c5e...a731824421f9ebc586728ea9c7cff231a249aaa9

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Threat Assessment

Assessed as Low given that it is not directly exploitable within the core but requires other security vulnerabilities within the application to have an effect and the severity of its effect depends entirely on the severity of those other holes in the application's defences.

Acknowledgements

Thanks to Takashi Terada of Mitsui Bussan Secure Directions, Inc. for finding the original issue in Laravel and @taylorotwell for sharing the report with the October CMS team.

Database specific
{
    "nvd_published_at": "2020-07-31T18:15:00Z",
    "github_reviewed_at": "2020-07-31T17:44:58Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-327",
        "CWE-565"
    ]
}
References

Affected packages

Packagist / october/rain

Package

Name
october/rain
Purl
pkg:composer/october/rain

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.319
Fixed
1.0.468

Affected versions

v1.*

v1.0.319
v1.0.320
v1.0.321
v1.0.322
v1.0.323
v1.0.324
v1.0.325
v1.0.326
v1.0.327
v1.0.328
v1.0.329
v1.0.330
v1.0.331
v1.0.332
v1.0.333
v1.0.334
v1.0.335
v1.0.336
v1.0.337
v1.0.338
v1.0.339
v1.0.340
v1.0.341
v1.0.342
v1.0.343
v1.0.344
v1.0.345
v1.0.346
v1.0.347
v1.0.348
v1.0.349
v1.0.350
v1.0.351
v1.0.352
v1.0.353
v1.0.354
v1.0.355
v1.0.356
v1.0.357
v1.0.358
v1.0.359
v1.0.360
v1.0.361
v1.0.362
v1.0.363
v1.0.364
v1.0.365
v1.0.366
v1.0.367
v1.0.368
v1.0.369
v1.0.370
v1.0.371
v1.0.372
v1.0.373
v1.0.374
v1.0.375
v1.0.376
v1.0.377
v1.0.378
v1.0.379
v1.0.380
v1.0.381
v1.0.382
v1.0.383
v1.0.384
v1.0.385
v1.0.386
v1.0.387
v1.0.388
v1.0.389
v1.0.390
v1.0.391
v1.0.392
v1.0.393
v1.0.394
v1.0.395
v1.0.396
v1.0.397
v1.0.398
v1.0.399
v1.0.400
v1.0.401
v1.0.402
v1.0.403
v1.0.404
v1.0.405
v1.0.406
v1.0.407
v1.0.408
v1.0.409
v1.0.410
v1.0.411
v1.0.412
v1.0.413
v1.0.414
v1.0.415
v1.0.416
v1.0.417
v1.0.418
v1.0.419
v1.0.420
v1.0.421
v1.0.422
v1.0.423
v1.0.424
v1.0.425
v1.0.426
v1.0.427
v1.0.428
v1.0.429
v1.0.430
v1.0.431
v1.0.432
v1.0.433
v1.0.434
v1.0.435
v1.0.436
v1.0.437
v1.0.438
v1.0.439
v1.0.440
v1.0.441
v1.0.442
v1.0.443
v1.0.444
v1.0.445
v1.0.446
v1.0.447
v1.0.448
v1.0.449
v1.0.450
v1.0.451
v1.0.452
v1.0.453
v1.0.454
v1.0.455
v1.0.456
v1.0.457
v1.0.458
v1.0.459
v1.0.460
v1.0.461
v1.0.462
v1.0.463
v1.0.464
v1.0.465
v1.0.466
v1.0.467