Cross-site request forgery in Spotify Luigi



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-1000843
CWE-ID CWE-352
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Luigi
Web applications / Remote management & hosting panels

Vendor Spotify

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cross-site request forgery

EUVDB-ID: #VU17477

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1000843

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to the Cross-Origin Resource Sharing (CORS) mechanism used by the affected software fails to check request origins. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users.

Mitigation

Update to version 2.8.0.

Vulnerable software versions

Luigi: 2.3.0 - 2.7.9

CPE2.3 External links

https://github.com/spotify/luigi/blob/2.7.9/luigi/server.py#L67
https://github.com/spotify/luigi/pull/1870
https://groups.google.com/forum/#!topic/luigi-user/ZgfRTpBsVUY


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###