Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
pickypg committed Dec 17, 2024
1 parent 2c5d96d commit e076283
Showing 1 changed file with 2 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-mfj5-cf8g-g2fv",
"modified": "2024-12-16T22:51:13Z",
"modified": "2024-12-16T22:51:15Z",
"published": "2024-12-02T20:04:43Z",
"aliases": [
"CVE-2024-53990"
],
"summary": "AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s",
"details": "### Summary\n\nWhen making any HTTP request, the automatically enabled and self-managed `CookieStore` (aka cookie jar) will silently replace explicitly defined `Cookie`s with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's `Cookie` being used for another user's requests.\n\n### Details\n\nThis issue is described without security warnings here:\n\nhttps://github.com/AsyncHttpClient/async-http-client/issues/1964\n\nA PR to fix this issue has been made:\n\nhttps://github.com/AsyncHttpClient/async-http-client/pull/2033\n\n### PoC\n\n1. Add an auth `Cookie` to the `CookieStore`\n - This is identical to receiving an HTTP response that uses `Set-Cookie`, as shown in issue #1964 above.\n2. Handle a different user's request where the same `Cookie` is provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it.\n3. Observe that the user's cookie in step 2 is passed as the Cookie in step 1.\n\n### Impact\n\nThis is generally going to be a problem for developers of backend services that implement third party auth features and use other features like token refresh. The moment a third party service responds by _setting_ a cookie in the response, the `CookieStore` will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user's information).\n\nIf your service sets cookies based on the response that happens here, it's possible to lead to even greater levels of exposure.\n\n### Workaroud\n\nYou can avoid this issue by disabling the `CookieStore` during client creation:\n\n```java\nDefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()\n .setCookieStore(null)\n // other configuration\n ;",
"details": "### Summary\n\nWhen making any HTTP request, the automatically enabled and self-managed `CookieStore` (aka cookie jar) will silently replace explicitly defined `Cookie`s with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's `Cookie` being used for another user's requests.\n\n### Details\n\nThis issue is described without security warnings here:\n\nhttps://github.com/AsyncHttpClient/async-http-client/issues/1964\n\nA PR to fix this issue has been made:\n\nhttps://github.com/AsyncHttpClient/async-http-client/pull/2033\n\n### PoC\n\n1. Add an auth `Cookie` to the `CookieStore`\n - This is identical to receiving an HTTP response that uses `Set-Cookie`, as shown in issue #1964 above.\n2. Handle a different user's request where the same `Cookie` is provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it.\n3. Observe that the user's cookie in step 2 is passed as the Cookie in step 1.\n\n### Impact\n\nThis is generally going to be a problem for developers of backend services that implement third party auth features and use other features like token refresh. The moment a third party service responds by _setting_ a cookie in the response, the `CookieStore` will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user's information).\n\nIf your service sets cookies based on the response that happens here, it's possible to lead to even greater levels of exposure.\n\n### Workaroud\n\nYou can avoid this issue by disabling the `CookieStore` during client creation:\n\n```java\nDefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()\n .setCookieStore(null)\n // other configuration\n ;\n```",
"severity": [
{
"type": "CVSS_V4",
Expand Down

0 comments on commit e076283

Please sign in to comment.