漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Cross-Site Request Forgery in PAC4J
Vulnerability Description
PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent. This issue was fixed in PAC4J versions 5.7.10 and 6.4.1
CVSS Information
N/A
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
pac4j 安全漏洞
Vulnerability Description
pac4j是pac4j开源的一个简单而强大的 Java 安全引擎。用于验证用户、获取他们的配置文件和管理授权,以保护 Web 应用程序和 Web 服务。 pac4j 5.7.10之前版本和6.4.1之前版本存在安全漏洞,该漏洞源于确定性String.hashCode()函数中的冲突可被直接计算,从而绕过CSRF保护,可能导致恶意攻击者执行配置文件更新、密码更改、账户链接及其他状态更改操作。
CVSS Information
N/A
Vulnerability Type
N/A