An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Weakness
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Axios | Axios | 1.5.1 (including) | 1.5.1 (including) |
| Migration Toolkit for Runtimes 1 on RHEL 8 | RedHat | axios | * |
| MTA-6.2-RHEL-9 | RedHat | mta/mta-windup-addon-rhel9:6.2.3-2 | * |
| MTA-7.0-RHEL-9 | RedHat | mta/mta-cli-rhel9:7.0.3-16 | * |
| MTA-7.0-RHEL-9 | RedHat | mta/mta-ui-rhel9:7.0.3-13 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-central-db-rhel8:4.7.0-4 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-collector-rhel8:4.7.0-3 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-main-rhel8:4.7.0-4 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-operator-bundle:4.7.0-3 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-rhel8-operator:4.7.0-4 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-roxctl-rhel8:4.7.0-4 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-scanner-db-rhel8:4.7.0-4 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.7.0-3 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-scanner-rhel8:4.7.0-4 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-scanner-slim-rhel8:4.7.0-4 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.7.0-4 | * |
| Red Hat Advanced Cluster Security 4.7 | RedHat | advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.0-4 | * |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | RedHat | automation-controller-0:4.5.5-2.el8ap | * |
| Red Hat Ansible Automation Platform 2.4 for RHEL 9 | RedHat | automation-controller-0:4.5.5-2.el9ap | * |
| Red Hat Migration Toolkit for Containers 1.8 | RedHat | rhmtc/openshift-migration-ui-rhel8:v1.8.3-4 | * |
| RHEL-8-CNV-4.12 | RedHat | container-native-virtualization/kubevirt-console-plugin:v4.12.12-7 | * |
| RHEL-9-CNV-4.13 | RedHat | container-native-virtualization/kubevirt-console-plugin-rhel9:v4.13.10-387 | * |
| RHEL-9-CNV-4.14 | RedHat | container-native-virtualization/kubevirt-console-plugin-rhel9:v4.14.6-195 | * |
| RHEL-9-CNV-4.15 | RedHat | container-native-virtualization/kubevirt-console-plugin-rhel9:v4.15.2-383 | * |
| RHEL-9-CNV-4.16 | RedHat | container-native-virtualization/kubevirt-console-plugin-rhel9:v4.16.0-4001 | * |
| Node-axios | Ubuntu | bionic | * |
| Node-axios | Ubuntu | focal | * |
| Node-axios | Ubuntu | lunar | * |
| Node-axios | Ubuntu | mantic | * |
| Node-axios | Ubuntu | oracular | * |
| Node-axios | Ubuntu | plucky | * |
| Node-axios | Ubuntu | trusty | * |
| Node-axios | Ubuntu | xenial | * |
Potential Mitigations
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
- Use the “double-submitted cookie” method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/467.html
- https://cwe.mitre.org/data/definitions/62.html