CVE-2023-31999

描述

### Impact All versions of @fastify/oauth2 used a statically generated `state` parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 `state` parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. ### Patches v7.2.0 changes the default behavior to store the `state` in a cookie with the `http-only` and `same-site=lax` attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the `checkStateFunction` function, which now accepts the full `Request` object. ### Workarounds There are no known workarounds. ### References * [Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters](https://auth0.com/docs/secure/attack-protection/state-parameters)

如何修補 CVE-2023-31999

要修補 CVE-2023-31999,請將受影響套件升級到下列已修補版本。

• —升級至 7.2.0 或更新版本

CVE-2023-31999 正在被利用嗎?

低 — EPSS 為 1.3%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 7.2.0

CVSS 分數

參考連結(6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-35935
• PATCHgithub.com/fastify/fastify-oauth2
• WEBauth0.com/docs/secure/attack-protection/state-parameters
• WEBgithub.com/fastify/fastify-oauth2/commit/bff756b456cbb769080631af2beb85671ff4c79c