CVE-2018-12540

Summary

In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.

Affected Software

VendorProductVersion RangeStatus
The Eclipse FoundationEclipse Vert.x3.0 < unspecifiedaffected
The Eclipse FoundationEclipse Vert.xunspecified <= 3.5.2affected

Weaknesses

  • CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References