Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps) CVE–2023–45857 (bump axios) #6665

Merged
merged 3 commits into from Jan 27, 2024
Merged

fix(deps) CVE–2023–45857 (bump axios) #6665

merged 3 commits into from Jan 27, 2024

Conversation

debricked[bot]
Copy link
Contributor

@debricked debricked bot commented Jan 26, 2024

CVE–2023–45857

Vulnerability details

Description

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

NVD

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

GitHub

Axios Cross-Site Request Forgery Vulnerability

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVSS details - 6.5

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None
References

    Axios Cross-Site Request Forgery Vulnerability · CVE-2023-45857 · GitHub Advisory Database · GitHub
    NVD - CVE-2023-45857
    CVE-2023-45857 (CWE-359) XSRF-TOKEN value is disclosed to an unauthorised actor · Issue #6006 · axios/axios · GitHub
    fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028) · axios/axios@96ee232 · GitHub
    Release Release v1.6.0 · axios/axios · GitHub
    CSRF vulnerability in AXIOS 0.24.1 to latest · Issue #6022 · axios/axios · GitHub
    Cross-site Request Forgery (CSRF) in axios | CVE-2023-45857 | Snyk
    CVE 2023 45857 by valentin-panov · Pull Request #6028 · axios/axios · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@cloudflare-pages Cloudflare Pages
Copy link

cloudflare-pages bot commented Jan 26, 2024
edited

Deploying with  Cloudflare Pages  Cloudflare Pages

Latest commit: 436866e
Status: ✅  Deploy successful!
Preview URL: https://d3c4dc41.immich.pages.dev
Branch Preview URL: https://debricked-fix-cve-2023-45857.immich.pages.dev

View logs

@etnoy etnoy added the dependencies Pull requests that update a dependency file label Jan 26, 2024
@etnoy etnoy closed this Jan 26, 2024
@etnoy etnoy reopened this Jan 26, 2024
@etnoy
Merge branch 'main' of https://github.com/immich-app/immich into debr…
c788ddc 
…icked-fix-CVE_2023_45857-de47a6a33003c923
@etnoy etnoy changed the title fix(deps) CVE–2023–45857 fix(deps) CVE–2023–45857 (bump axios) Jan 26, 2024
@jrasm91 jrasm91 merged commit 70aeb82 into main Jan 27, 2024
24 checks passed
@jrasm91 jrasm91 deleted the debricked-fix-CVE_2023_45857-de47a6a33003c923 branch January 27, 2024 00:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@etnoy etnoy etnoy approved these changes

@jrasm91 jrasm91 jrasm91 approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@etnoy @jrasm91