softwaremill/akka-http-session

softwaremill/akka-http-session

softwaremill.com

Releases47

Frequency2 months 3 days

Last Release almost 3 years ago

Stars438

Web & mobile client-side akka-http sessions, with optional JWT support

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2020-28452 ↗	Jan 20, 2021Wednesday, 20 January 2021, 18:15	6.3 MEDIUM	6.8 MEDIUM
This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty.
CVE-2020-7780 ↗	Nov 27, 2020Friday, 27 November 2020, 17:15	6.3 MEDIUM	6.8 MEDIUM
This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.