Use constant time comparisons for CSRF tokens #9291

rwinch · 2020-12-17T16:56:38Z

While it is not a practical exploit at this point, it is best to be defensive. We should change CSRF token comparison to use a constant time comparison to avoid side channel attacks.

NOTE: This was originally reported via Xhelal Likaj, [email protected]

ogarber · 2021-01-04T16:23:08Z

Hi @rwinch , I have a question: will this fix also be merged in the older pipe-lines (I'm interesting in 5.2.x...).
Thank you in advance

ogarber · 2021-01-12T14:13:21Z

Hi @rwinch , sorry for annoying...
Did you see my previous comment?

vnjapa · 2021-01-20T05:21:14Z

Hi @rwinch, will this fix will be merged in older versions like 5.2.x or when can we expect this release

Closes gh-9291

rwinch · 2021-01-20T22:22:42Z

I have backported the issue (see the linked issues). Each issue has a milestone with the expected release date.

ogarber · 2021-01-21T06:49:55Z

Thank you @rwinch !

rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Dec 17, 2020

rwinch closed this as completed in 40e027c Dec 17, 2020

rwinch self-assigned this Dec 17, 2020

rwinch added this to the 5.5.0-M2 milestone Dec 17, 2020

rwinch pushed a commit that referenced this issue Jan 20, 2021

Constant Time Comparison for CSRF tokens

acb5ae6

Closes gh-9291

spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Jan 20, 2021

spring-projects-issues mentioned this issue Jan 20, 2021

Use constant time comparisons for CSRF tokens #9357

Closed

rwinch pushed a commit that referenced this issue Jan 20, 2021

Constant Time Comparison for CSRF tokens

e6d6b39

Closes gh-9291

spring-projects-issues mentioned this issue Jan 20, 2021

Use constant time comparisons for CSRF tokens #9358

Closed

rwinch pushed a commit that referenced this issue Jan 20, 2021

Constant Time Comparison for CSRF tokens

1181740

Closes gh-9291

spring-projects-issues mentioned this issue Jan 20, 2021

Use constant time comparisons for CSRF tokens #9359

Closed

mend-for-github.1485827954.workers.dev bot mentioned this issue Apr 14, 2021

WS-2020-0293 (Medium) detected in spring-security-web-3.2.7.RELEASE.jar shaimael/keycloak#1213

Closed

mend-for-github.1485827954.workers.dev bot mentioned this issue Jun 22, 2021

WS-2020-0293 (Medium) detected in spring-security-web-4.0.3.RELEASE.jar brogers588/Maven-Prioritize#85

Open

mend-bolt-for-github bot mentioned this issue Jun 23, 2021

WS-2020-0293 (Medium) detected in spring-security-web-4.2.18.RELEASE.jar hygieia/hygieia-core#336

Closed

This was referenced Jul 29, 2021

WS-2020-0293 (Medium) detected in spring-security-web-5.2.1.RELEASE.jar gms-ws-sandbox/WebGoat8#54

Open

WS-2020-0293 (Medium) detected in spring-security-web-5.2.1.RELEASE.jar Tim-sandbox/webgoat-trng#54

Open

mend-bolt-for-github bot mentioned this issue Jul 29, 2021

WS-2020-0293 (Medium) detected in spring-security-web-5.2.1.RELEASE.jar - autoclosed prafullkotecha/docusign-hackathon#20

Closed

This was referenced Aug 20, 2021

WS-2020-0293 (Medium) detected in multiple libraries - autoclosed snowdensb/spring-security-oauth#73

Closed

WS-2020-0293 (Medium) detected in spring-security-web-5.1.5.RELEASE.jar TreyM-WSS/togglr-api#75

Open

mend-for-github.1485827954.workers.dev bot mentioned this issue Sep 6, 2021

WS-2020-0293 (Medium) detected in spring-security-web-5.2.1.RELEASE.jar Galaxy-Software-Service/WebGoat#95

Open

mend-for-github.1485827954.workers.dev bot mentioned this issue Sep 28, 2021

WS-2020-0293 (Medium) detected in spring-security-web-5.4.2.jar Tim-sandbox/petclinic-rest#8

Open

mend-bolt-for-github bot mentioned this issue Oct 28, 2021

WS-2020-0293 (Medium) detected in spring-security-web-5.0.6.RELEASE.jar - autoclosed Chiencc/Spring5-Login_Prioritize-Sample#67

Closed

This was referenced Nov 3, 2021

WS-2020-0293 (Medium) detected in spring-security-web-4.2.9.RELEASE.jar, spring-security-web-4.2.3.RELEASE.jar - autoclosed KDWSS/dd-trace-java#63

Closed

WS-2020-0293 (Medium) detected in spring-security-web-4.2.1.RELEASE.jar Dima2022/Resiliency-Studio#143

Open

mend-for-github.1485827954.workers.dev bot mentioned this issue Nov 11, 2021

WS-2020-0293 (Medium) detected in spring-security-web-3.2.4.RELEASE.jar - autoclosed snowdensb/sonar-xanitizer#70

Closed

mend-bolt-for-github bot mentioned this issue Nov 12, 2021

WS-2020-0293 (Medium) detected in spring-security-web-5.4.2.jar exadel-inc/activity-based-security-framework#49

Open

mend-bolt-for-github bot mentioned this issue Dec 2, 2021

WS-2020-0293 (Medium) detected in spring-security-web-5.3.3.RELEASE.jar garymsegal/roller#27

Open

mend-for-github.1485827954.workers.dev bot mentioned this issue Dec 7, 2021

WS-2020-0293 (Medium) detected in spring-security-web-5.2.1.RELEASE.jar harrinry/spring-cloud-config#21

Open

mend-bolt-for-github bot mentioned this issue Dec 30, 2021

WS-2020-0293 (Medium) detected in spring-security-web-3.2.4.RELEASE.jar developerone12/WebGoat-WhiteSource-Bolt#67

Open

mend-bolt-for-github bot mentioned this issue Feb 15, 2022

WS-2020-0293 (Medium) detected in spring-security-web-5.3.3.RELEASE.jar - autoclosed ArchiMageAlex/singularity-core#113

Closed

mend-bolt-for-github bot mentioned this issue Mar 7, 2022

WS-2020-0293 (Medium) detected in spring-security-web-5.3.4.RELEASE.jar - autoclosed mgh3326/que_bang#78

Closed

mend-bolt-for-github bot mentioned this issue Mar 23, 2022

spring-security-web-3.2.4.RELEASE.jar: 9 vulnerabilities (highest severity is: 9.8) hasiMoto1/WebGoat-WhiteSource-Bolt#3

Open

This was referenced Mar 31, 2022

WS-2020-0293 (Medium) detected in spring-security-web-3.2.5.RELEASE.jar - autoclosed jgeraigery/dynatrace-service-broker#115

Closed

WS-2020-0293 (Medium) detected in spring-security-web-3.2.5.RELEASE.jar jgeraigery/dynatrace-service-broker#116

Open

dev-mend-for-github.1485827954.workers.dev bot mentioned this issue Apr 8, 2022

spring-boot-starter-security-2.2.6.RELEASE.jar: 4 vulnerabilities (highest severity is: 8.8) - autoclosed sultanabubaker/SAST-maven-project#4

Closed

mend-for-github.1485827954.workers.dev bot mentioned this issue Apr 11, 2022

WS-2020-0293 (Medium) detected in spring-security-web-5.2.1.RELEASE.jar - autoclosed wrbejar/WebGoat#153

Closed

mend-for-github.1485827954.workers.dev bot mentioned this issue Apr 18, 2022

spring-security-test-4.2.1.RELEASE.jar: 9 vulnerabilities (highest severity is: 8.8) timf-app-sandbox/terracotta-bank#18

Open

mend-for-github.1485827954.workers.dev bot mentioned this issue May 2, 2022

spring-boot-starter-security-2.3.0.RELEASE.jar: 7 vulnerabilities (highest severity is: 9.8) sureng-ws-ibm/APISecurity-crAPI#19

Open

mend-bolt-for-github bot mentioned this issue May 4, 2022

spring-security-web-3.2.4.RELEASE.jar: 9 vulnerabilities (highest severity is: 9.8) testdemo1227/Demo-WebGoat1#4

Open

mend-bolt-for-github bot mentioned this issue May 31, 2022

spring-security-web-4.0.3.RELEASE.jar: 9 vulnerabilities (highest severity is: 9.8) dca13/insecure-bank#14

Open

sureng-whitesource-app bot mentioned this issue Jul 22, 2022

spring-boot-starter-security-2.3.0.RELEASE.jar: 3 vulnerabilities (highest severity is: 8.8) sureng-ghe-aws-demo/crAPI#16

Open

joshn-whitesource-app bot mentioned this issue Dec 27, 2023

spring-security-web-4.2.12.RELEASE.jar: 9 vulnerabilities (highest severity is: 9.8) Mend-JoshN-GHE-SAST/java-sec-code#21

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use constant time comparisons for CSRF tokens #9291

Use constant time comparisons for CSRF tokens #9291

rwinch commented Dec 17, 2020 •

edited

Loading

ogarber commented Jan 4, 2021

ogarber commented Jan 12, 2021

vnjapa commented Jan 20, 2021 •

edited

Loading

rwinch commented Jan 20, 2021

ogarber commented Jan 21, 2021

Use constant time comparisons for CSRF tokens #9291

Use constant time comparisons for CSRF tokens #9291

Comments

rwinch commented Dec 17, 2020 • edited Loading

ogarber commented Jan 4, 2021

ogarber commented Jan 12, 2021

vnjapa commented Jan 20, 2021 • edited Loading

rwinch commented Jan 20, 2021

ogarber commented Jan 21, 2021

rwinch commented Dec 17, 2020 •

edited

Loading

vnjapa commented Jan 20, 2021 •

edited

Loading