CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS
Percentile
37.6%
Severity: Medium
Date : 2021-07-01
CVE-ID : CVE-2021-32677
Package : python-fastapi
Type : cross-site request forgery
Remote : Yes
Link : https://security.archlinux.org/AVG-2060
The package python-fastapi before version 0.65.2-1 is vulnerable to
cross-site request forgery.
Upgrade to 0.65.2-1.
The problem has been fixed upstream in version 0.65.2.
To mitigate the issue, it would be possible to add a middleware or a
dependency that checks the content-type header and aborts the request
if it is not application/json or another JSON compatible content type.
FastAPI versions lower than 0.65.2 that used cookies for authentication
in path operations that received JSON payloads sent by browsers were
vulnerable to a Cross-Site Request Forgery (CSRF) attack.
In versions lower than 0.65.2, FastAPI would try to read the request
payload as JSON even if the content-type header sent was not set to
application/json or a compatible JSON media type (e.g.
application/geo+json).
So, a request with a content type of text/plain containing JSON data
would be accepted and the JSON data would be extracted.
But requests with content type text/plain are exempt from CORS
preflights, for being considered Simple requests. So, the browser would
execute them right away including cookies, and the text content could
be a JSON string that would be parsed and accepted by the FastAPI
application.
A remote attacker could perform cross-origin request forgery (CSRF)
attacks on FastAPI applications accepting JSON payloads.
https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7
https://github.com/tiangolo/fastapi/pull/2118
https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d
https://security.archlinux.org/CVE-2021-32677
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | python-fastapi | < 0.65.2-1 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS
Percentile
37.6%