CVE-2023-45128
Published: 16 October 2023
Summary
CVE-2023-45128 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Gofiber Fiber. Its CVSS base score is 10.0 (Critical).
Operationally, ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2708
Vulnerability details
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This…
more
vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Prevents reliance on untrusted matching results for security-relevant decisions by enforcing verification and contest procedures.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Providing authoritative attributes with the data reduces the need for security decisions to rely on untrusted external inputs.
Directly implements checks on information inputs to reject invalid data before processing.
Detects anomalous request patterns consistent with cross-site request forgery.