CVE-2023-40021

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Aug 16, 2023
Updated: Aug 25, 2023
CWE ID 208
CWE ID 203

Summary

CVE-2023-4021: A timing attack vulnerability was discovered in Oppia's CSRF token validation mechanism. The platform's CsrfTokenManager incorrectly uses string equality (`==`) for token comparison, allowing an attacker to recover the expected token character by character through repeated submission of invalid tokens. Once obtained, the attacker can perform privileged actions on behalf of a logged-in user, including profile modifications and exploration management, before the token changes again. No known workarounds exist, and users are advised to upgrade to release 3.3.2-hotfix-2, which includes the necessary patch.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share