Miggo Logo

CVE-2022-24740: Sudden swap of user auth tokens in Volto

5

CVSS Score
3.1

Basic Information

EPSS Score
0.47778%
Published
3/14/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
@plone/voltonpm>= 14.0.0-alpha.6, <= 14.10.015.0.0-alpha.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from react-cookie's implementation details in versions prior to 4.1.1. The library's singleton-based architecture created a shared cookie state across user sessions. When combined with Volto's authentication flow and high server load, this could lead to cookie overwrites between users. The fix involved upgrading to react-cookie 4.1.1 which introduces instance-based cookie handling, confirming that the vulnerability resided in the cookie management pattern of the library itself rather than specific application-layer functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *u* to t** us*** o* *n out**t** v*rsion o* t** r***t-*ooki* li*r*ry, un**r t** *ir*umst*n**s o* *iv*n * s*rv*r *i** lo**, it is possi*l* t**t * us*r *oul* **t *is/**r *ut* *ooki* r*pl**** wit* t** *ut* *ooki* *rom *not**r us*r, *****tiv*ly

Reasoning

T** vuln*r**ility st*ms *rom r***t-*ooki*'s impl*m*nt*tion **t*ils in v*rsions prior to *.*.*. T** li*r*ry's sin*l*ton-**s** *r**it**tur* *r**t** * s**r** *ooki* st*t* **ross us*r s*ssions. W**n *om*in** wit* Volto's *ut**nti**tion *low *n* *i** s*rv