Cross-Site Request Forgery Vulnerability in Eclipse Vert.x Versions 3.0.0 to 3.5.2
CVE-2018-12540

8.8HIGH

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Vert.x
Vendor: CVE Published:; 12 July 2018

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2018-12540?

A vulnerability exists in Eclipse Vert.x versions 3.0.0 through 3.5.2, where the CSRFHandler does not properly verify the XSRF Cookie against the returned XSRF header or form parameter. This flaw enables attackers to reuse previously issued tokens that remain unexpired, potentially allowing for unauthorized actions to be performed on behalf of the user without their consent.

Affected Version(s)

Eclipse Vert.x 3.0

Eclipse Vert.x <= 3.5.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

vertx-web-xsrf
Created by bernard-wagner

CVE-2018-12540
Created by tafamace

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=536948

x_refsource_CONFIRM

https://access.redhat.com/errata/RHSA-2018:2371

vendor-advisoryx_refsource_REDHAT

https://lists.apache.org/thread.html/r59482ebed302aa49ac7...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 19, 2018
👾
Exploit known to exist
Nov 19, 2018
Vulnerability published
Jul 12, 2018
Vulnerability Reserved
Jun 18, 2018

The Eclipse Foundation

Badges

What is CVE-2018-12540?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline