1974197 – (CVE-2021-32677) CVE-2021-32677 python-fastapi: Cross-Site Request Forgery attack

Bug 1974197 (CVE-2021-32677) - CVE-2021-32677 python-fastapi: Cross-Site Request Forgery attack

Summary: CVE-2021-32677 python-fastapi: Cross-Site Request Forgery attack

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2021-32677
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1974198
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-21 06:30 UTC by Marian Rehak
Modified:	2021-06-21 12:04 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-21 09:03:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2021-06-21 06:30:43 UTC

FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.

Reference:

https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d
https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MATAWX25TYKNEKLDMKWNLYDB34UWTROA/

Comment 1 Marian Rehak 2021-06-21 06:30:59 UTC

Created python-fastapi tracking bugs for this issue:

Affects: fedora-34 [bug 1974198]

Comment 2 Product Security DevOps Team 2021-06-21 09:03:56 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 3 Ben Beasley 2021-06-21 12:04:25 UTC

See https://bugzilla.redhat.com/show_bug.cgi?id=1974198.

This CVE was already fixed in Fedora 34 by updating to version 0.65.2 two weeks ago (https://bodhi.fedoraproject.org/updates/FEDORA-2021-917e89c036). The update has been in Fedora 34 stable for a week.

The update was marked as a security update and the update description, RPM changelog, and fedpkg commit message all referenced the CVE.

The package was updated in Fedora Rawhide, too, but the build was blocked by Python 3.10 bugs in dependencies. Currently, only https://bugzilla.redhat.com/show_bug.cgi?id=1949430 in python-wsproto is preventing a Rawhide build (see also https://bugzilla.redhat.com/show_bug.cgi?id=1968972).

Note You need to log in before you can comment on or make changes to this bug.