CVE-2022-28108: Selenium Server (Grid) CSRF
(updated )
Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
References
- github.com/SeleniumHQ/selenium
- github.com/advisories/GHSA-h2rr-m97p-6jq9
- nvd.nist.gov/vuln/detail/CVE-2022-28108
- www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce
- www.openwall.com/lists/oss-security/2022/02/07/3
- www.openwall.com/lists/oss-security/2022/04/14/2
- www.selenium.dev/downloads
Detect and mitigate CVE-2022-28108 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →