CVE-2017-16570 — Cross-Site Request Forgery (CSRF) in keystone

Description

Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Request Forgery (CSRF). The package fails to validate the presence of the `X-CSRF-Token` header, which may allow attackers to carry actions on behalf of other users on all endpoints. ## Recommendation Update to version 4.0.0 or later.

How to fix CVE-2017-16570

To remediate CVE-2017-16570, upgrade the affected package to a fixed version below.

—upgrade to 4.0.0-beta.7 or later

Is CVE-2017-16570 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.0.0-beta.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (9)

ADVISORYgithub.com/advisories/GHSA-q43c-g2g7-6gxj
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16570
WEBblog.securelayer7.net/keystonejs-open-source-penetration-testing-report
WEBgithub.com/keystonejs/keystone/issues/4437
WEB