CVE-2020-26251:Open Zaak before version 1.3.3 had an insecure Cross-Origin Resource Sharing (CORS) policy that allowed any client, potentially enabling cross-site request forgery attacks.

splash
Back

Description Preview

Open Zaak, an open-source data and services layer for Dutch case management, contained a vulnerability in versions prior to 1.3.3 where the Cross-Origin Resource Sharing (CORS) policy was configured to allow requests from any origin. This misconfiguration could potentially allow malicious websites to make AJAX requests to Open Zaak installations from users' browsers. The permissive CORS policy was intended only for development environments running on localhost but was incorrectly applied to all deployments. Despite this vulnerability, exploitation was limited by several mitigating factors including Same-Site cookie policies, authentication requirements, disabled credentials in cross-origin requests, and CSRF protections.

Overview

CVE-2020-26251 affects Open Zaak versions before 1.3.3. The vulnerability (CWE-346: Origin Validation Error) stems from an overly permissive CORS policy that allowed any origin to make requests to Open Zaak installations. This could potentially enable attackers to craft malicious websites that make cross-origin requests to known Open Zaak instances using the victim's browser. The vulnerability was particularly concerning because it affected production environments when it was only intended for development use on localhost. However, several security controls were in place that limited the actual exploitability of this vulnerability, including Same-Site cookie restrictions, authentication requirements for sensitive data access, disabled credentials in cross-origin requests, and CSRF protections.

Remediation

To remediate this vulnerability:

  1. Upgrade Open Zaak to version 1.3.3 or later, which disables CORS by default
  2. If CORS is required for specific use cases, explicitly configure it through environment variables with appropriate restrictions
  3. Ensure that only trusted origins are allowed in your CORS configuration
  4. Maintain other security controls such as Same-Site cookie policies and CSRF protections
  5. Review server logs for any suspicious cross-origin requests that may indicate attempted exploitation

For organizations unable to upgrade immediately, implementing strict CORS policies through web server configuration (like Apache or Nginx) can provide temporary mitigation.

References

  1. Open Zaak Changelog for version 1.3.3: https://github.com/open-zaak/open-zaak/blob/master/CHANGELOG.rst#133-2020-12-17
  2. Fix commit: https://github.com/open-zaak/open-zaak/commit/952269269f1b629fce9c94485f83ac13f31d6c46
  3. GitHub Security Advisory: https://github.com/open-zaak/open-zaak/security/advisories/GHSA-chhr-gxrg-64x7
  4. CWE-346: Origin Validation Error: https://cwe.mitre.org/data/definitions/346.html
  5. OWASP CORS guidance: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background