Vulnerability Details : CVE-2022-39268
### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References https://en.wikipedia.org/wiki/Cross-site_request_forgery https://cwe.mitre.org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/orchest/orchest * Email us at rick@orchest.io
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2022-39268
- cpe:2.3:a:orchest:orchest:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39268
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39268
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2022-39268
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-39268
-
https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d
Set auth cookies to SameSite=Lax · orchest/orchest@c2587a9 · GitHubPatch;Third Party Advisory
-
https://github.com/orchest/orchest/security/advisories/GHSA-q44f-8jpw-qv4j
Cross-site request forgery allows control of a user instance · Advisory · orchest/orchest · GitHubThird Party Advisory
-
https://github.com/orchest/orchest/pull/1324
Release - v2022.09.10 by fruttasecca · Pull Request #1324 · orchest/orchest · GitHubPatch;Third Party Advisory
-
https://github.com/orchest/orchest/releases/tag/v2022.09.10
Release v2022.09.10 · orchest/orchest · GitHubRelease Notes;Third Party Advisory
Jump to