{"id":"CVE-2023-40021","summary":"Timing Attack Reveals CSRF Tokens in oppia","details":"Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator (`==`), which is not safe against timing attacks. By repeatedly submitting invalid tokens, an attacker can brute-force the expected CSRF token character by character. Once they have recovered the token, they can then submit a forged request on behalf of a logged-in user and execute privileged actions on that user's behalf. In particular the function to validate received CSRF tokens is at `oppia.core.controllers.base.CsrfTokenManager.is_csrf_token_valid`. An attacker who can lure a logged-in Oppia user to a malicious website can perform any change on Oppia that the user is authorized to do, including changing profile information; creating, deleting, and changing explorations; etc. Note that the attacker cannot change a user's login credentials. An attack would need to complete within 1 second because every second, the time used in computing the token changes. This issue has been addressed in commit `b89bf80837` which has been included in release `3.3.2-hotfix-2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-49jp-pjc3-2532"],"modified":"2026-04-10T05:00:35.133003Z","published":"2023-08-16T20:25:22.726Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40021.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-203","CWE-208"]},"references":[{"type":"WEB","url":"https://github.com/oppia/oppia/blob/3a05c3558a292f3db9e658e60e708c266c003fd0/core/controllers/base.py#L964-L990"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40021.json"},{"type":"ADVISORY","url":"https://github.com/oppia/oppia/security/advisories/GHSA-49jp-pjc3-2532"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40021"},{"type":"FIX","url":"https://github.com/oppia/oppia/commit/b89bf808378c1236874b5797a7bda32c77b4af23"},{"type":"FIX","url":"https://github.com/oppia/oppia/pull/18769"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/oppia/oppia","events":[{"introduced":"4f1c0ad45d949509c101cede1552321ceb1eeb2b"},{"fixed":"aad5a6526f10fda1d0eca3012deba6168c087b3e"},{"introduced":"0"},{"last_affected":"aad5a6526f10fda1d0eca3012deba6168c087b3e"},{"fixed":"b89bf808378c1236874b5797a7bda32c77b4af23"}],"database_specific":{"versions":[{"introduced":"1.1.0"},{"fixed":"3.3.2"},{"introduced":"0"},{"last_affected":"3.3.2-NA"}]}}],"versions":["v1.1.0","v1.2.0","v1.2.1","v1.2.7","v1.2.8","v2.0.0","v2.0.0.rc.1","v2.0.0.rc.2","v2.0.3","v2.1.0","v2.1.2","v2.1.4","v2.2.0","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.6.8","v2.8.6","v3.3.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40021.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}