UBUNTU-CVE-2020-35239

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2020-35239

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-35239.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2020-35239

Related

CVE-2020-35239

Published

2021-01-26T18:15:00Z

Modified

2024-10-15T14:07:49Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method.

References

Affected packages

Ubuntu:Pro:16.04:LTS / cakephp

Package

Name: cakephp
Purl: pkg:deb/ubuntu/cakephp?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.7.2-1

2.8.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / cakephp

Package

Name: cakephp
Purl: pkg:deb/ubuntu/cakephp?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.10.11-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / cakephp

Package

Name: cakephp
Purl: pkg:deb/ubuntu/cakephp?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.10.11-2.1

2.10.24-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}