CVE-2024-31205
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in refreshToken mutation, while the token persists in JWT_REFRESH_TOKEN_COOKIE_NAME cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token. This will fix the issue, but be aware, that it returns JWT_MISSING_TOKEN instead of JWT_INVALID_TOKEN.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| saleor | saleor | >= 3.10.0, < 3.14.64 | affected |
| saleor | saleor | >= 3.15.0, < 3.15.39 | affected |
| saleor | saleor | >= 3.16.0, < 3.16.39 | affected |
| saleor | saleor | >= 3.17.0, < 3.17.35 | affected |
| saleor | saleor | >= 3.18.0, < 3.18.31 | affected |
| saleor | saleor | >= 3.19.0, < 3.19.19 | affected |
Weaknesses
- CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/saleor/saleor/security/advisories/GHSA-ff69-fwjf-3c9w
- https://github.com/saleor/saleor/commit/36699c6f5c99590d24f46e3d5c5b1a3c2fd072e7
References
- https://github.com/saleor/saleor/security/advisories/GHSA-ff69-fwjf-3c9w
- https://github.com/saleor/saleor/commit/36699c6f5c99590d24f46e3d5c5b1a3c2fd072e7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.