Miggo Logo

CVE-2021-4162: archivy is vulnerable to Cross-Site Request Forgery (CSRF)

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.28214%
Published
1/6/2022
Updated
9/12/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
archivypip< 1.6.21.6.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) The delete endpoint used unsafe HTTP methods (GET/DELETE) without CSRF protection, allowing trivial CSRF exploitation. 2) Form handling in click_web didn't validate() CSRF tokens, enabling forged requests. The patch added CSRFProtect middleware, restricted deletion to POST, and implemented token validation in forms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r**ivy is vuln*r**l* to *ross-Sit* R*qu*st *or**ry (*SR*). T**r* is [* *ix](*ttps://*it*u*.*om/*r**ivy/*r**ivy/*ommit/****************************************) *v*il**l* in t** m*st*r *r*n**.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) T** **l*t* *n*point us** uns*** *TTP m*t*o*s (**T/**L*T*) wit*out *SR* prot**tion, *llowin* trivi*l *SR* *xploit*tion. *) *orm **n*lin* in `*li*k_w**` *i*n't `v*li**t*()` *SR* tok*ns, *n**lin* *or***