Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2020-7965

CVE-2020-7965:
Cross-Site Request Forgery in Webargs

8.8

CVSS Score

Basic Information

CVE ID
CVE-2020-7965
GHSA ID
GHSA-fjq3-5pxw-4wj4
EPSS Score
-
CWE
CWE-352
Published
4/7/2021
Updated
11/19/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
webargspip>= 5.0.0, < 5.5.35.5.3
webargspip>= 6.0.0b1, < 6.0.0b46.0.0b4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from JSON parsing logic in framework-specific parsers (Flask, Webapp2, Bottle) that lacked Content-Type validation. The commit diff shows fixes in webapp2parser.py and bottleparser.py adding Content-Type checks, implying their pre-patch versions were vulnerable. The CVE title explicitly references flaskparser.py, so its JSON parsing function (likely load_json) is included despite the diff not showing it directly. All three functions allowed JSON parsing regardless of Content-Type, enabling CSRF.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*skp*rs*r.py in W***r*s *.x t*rou** *.*.* *o*sn't ****k t**t t** *ont*nt-Typ* *****r is *ppli**tion/json w**n r***ivin* JSON input. I* t** r*qu*st *o*y is v*li* JSON, it will ****pt it *v*n i* t** *ont*nt typ* is *ppli**tion/x-www-*orm-url*n*o***.

Reasoning

T** vuln*r**ility st*ms *rom JSON p*rsin* lo*i* in *r*m*work-sp**i*i* p*rs*rs (*l*sk, W***pp*, *ottl*) t**t l**k** *ont*nt-Typ* v*li**tion. T** *ommit *i** s*ows *ix*s in w***pp*p*rs*r.py *n* *ottl*p*rs*r.py ***in* *ont*nt-Typ* ****ks, implyin* t**ir