Bug 1974197 (CVE-2021-32677)

Summary: CVE-2021-32677 python-fastapi: Cross-Site Request Forgery attack
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: code
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-21 09:03:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1974198    
Bug Blocks:    

Description Marian Rehak 2021-06-21 06:30:43 UTC 
FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.

Reference:

https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d
https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MATAWX25TYKNEKLDMKWNLYDB34UWTROA/
Comment 1 Marian Rehak 2021-06-21 06:30:59 UTC 
Created python-fastapi tracking bugs for this issue:

Affects: fedora-34 [bug 1974198]
Comment 2 Product Security DevOps Team 2021-06-21 09:03:56 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Ben Beasley 2021-06-21 12:04:25 UTC 
See https://bugzilla.redhat.com/show_bug.cgi?id=1974198.

This CVE was already fixed in Fedora 34 by updating to version 0.65.2 two weeks ago (https://bodhi.fedoraproject.org/updates/FEDORA-2021-917e89c036). The update has been in Fedora 34 stable for a week.

The update was marked as a security update and the update description, RPM changelog, and fedpkg commit message all referenced the CVE.

The package was updated in Fedora Rawhide, too, but the build was blocked by Python 3.10 bugs in dependencies. Currently, only https://bugzilla.redhat.com/show_bug.cgi?id=1949430 in python-wsproto is preventing a Rawhide build (see also https://bugzilla.redhat.com/show_bug.cgi?id=1968972).