#VU17477 Cross-site request forgery in Luigi - CVE-2018-1000843

Cybersecurity Help s.r.o.

Published: 2019-02-12

Vulnerability identifier: #VU17477

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1000843

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Luigi
Web applications / Remote management & hosting panels

Vendor: Spotify

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to the Cross-Origin Resource Sharing (CORS) mechanism used by the affected software fails to check request origins. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users.

Mitigation
Update to version 2.8.0.

Vulnerable software versions

Luigi: 2.3.0 - 2.7.9

External links
https://github.com/spotify/luigi/blob/2.7.9/luigi/server.py#L67
https://github.com/spotify/luigi/pull/1870
https://groups.google.com/forum/#!topic/luigi-user/ZgfRTpBsVUY

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Cross-site request forgery in Spotify Luigi