CVE-2022-39268

HIGH

orchest 2022.03.7-2022.09.9 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Description

### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References https://en.wikipedia.org/wiki/Cross-site_request_forgery https://cwe.mitre.org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/orchest/orchest * Email us at [email protected]

References (4)

Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/orchest/orchest/pull/1324
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/orchest/orchest/releases/tag/v2022.09.10

Scores

CVSS v3 8.1
EPSS 0.0038
EPSS Percentile 30.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-352
Status published
Products (1)
orchest/orchest 2022.03.7 - 2022.09.9
Published Sep 30, 2022
Tracked Since Feb 18, 2026