CVE-2022-28108 — Selenium Server (Grid) CSRF

Description

Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.

How to fix CVE-2022-28108

To remediate CVE-2022-28108, upgrade the affected package to a fixed version below.

Maven/org.seleniumhq.selenium:selenium-grid—upgrade to 4.0.0-alpha-7 or later
—no fix listed
—upgrade to 4.0.0 or later

Is CVE-2022-28108 being exploited?

Moderate — EPSS is 22.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 4.0.0-alpha-7
from 0, <= 4.0.0-alpha-2
from 0, < 4.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-28108
ADVISORYwww.selenium.dev/downloads/
PATCHgithub.com/SeleniumHQ/selenium
WEBwww.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce