CodeChecker Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in CodeChecker versions prior to 6.24.5. This issue allows an unauthenticated attacker to hijack the authentication of a logged-in user and interact with the web API using the same permissions. The vulnerability arises because security attributes such as HttpOnly and SameSite are absent from the session cookie, enabling its use in XMLHttpRequest (XHR) requests and form submissions. Exploitation requires knowledge of product IDs to modify or delete products, although creating new products with the SQLite backend does not require such knowledge.

Impact

Exploitation of this vulnerability allows an attacker to perform actions on behalf of a logged-in user, including adding, removing, or editing products. However, the attacker cannot directly exfiltrate data from CodeChecker due to the form-based nature of the CSRF vulnerability.

Reproduction

To reproduce this vulnerability, a superuser must be logged into CodeChecker. An attacker can then send a crafted form submission to the CodeChecker API Products endpoint, using the session cookie of the logged-in user. The absence of a CSRF token and missing HTTP headers facilitate the success of the form submission, thereby exploiting the CSRF vulnerability.

Remediation

Users can upgrade to CodeChecker version 6.24.5 or later to address this vulnerability.