CVE-2020-7965: Cross-Site Request Forgery in Webargs
(updated )
flaskparser.py in Webargs 5.x through 5.5.2 doesn’t check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.
References
- github.com/advisories/GHSA-fjq3-5pxw-4wj4
- github.com/marshmallow-code/webargs
- github.com/marshmallow-code/webargs/commit/b9ee8b0aa668207a363d9fd21d967eeadb975c3e
- github.com/pypa/advisory-database/tree/main/vulns/webargs/PYSEC-2020-156.yaml
- nvd.nist.gov/vuln/detail/CVE-2020-7965
- webargs.readthedocs.io/en/latest/changelog.html
- webargs.readthedocs.io/en/latest/changelog.html
- webargs.readthedocs.io/en/latest/changelog.html
Detect and mitigate CVE-2020-7965 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →