CVE-2021-4168 – CVE-2021-4168 is a Cross-Site Request Forgery (... (How to Fix)

Q: What is the severity of CVE-2021-4168?

CVE-2021-4168 has a CVSS score of 8.8 (HIGH). CVE-2021-4168 is a Cross-Site Request Forgery (CSRF) vulnerability in showdoc, a documentation tool. It allows attackers to trick authenticated users into performing unintended actions like modifying documentation or changing settings. All showdoc users with web access are affected.

📋 TL;DR

CVE-2021-4168 is a Cross-Site Request Forgery (CSRF) vulnerability in showdoc, a documentation tool. It allows attackers to trick authenticated users into performing unintended actions like modifying documentation or changing settings. All showdoc users with web access are affected.

💻 Affected Systems

Products:

showdoc

Versions: Versions before commit 3ff0c85d439ccbdfadeb96b5a52acf6318041109 (specifically before the fix in early 2021)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all showdoc installations with web interface enabled. The vulnerability is in the application code, not dependent on specific OS or configuration.

📦 What is this software?

Showdoc by Showdoc

View all CVEs affecting Showdoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete all documentation, change user permissions, or compromise the entire showdoc instance through admin actions.

🟠

Likely Case

Unauthorized modifications to documentation content, user account settings, or project configurations by tricking users.

🟢

If Mitigated

Limited impact with proper CSRF protections, but still potential for minor unauthorized changes if other vulnerabilities exist.

🌐 Internet-Facing: HIGH - Web applications with CSRF vulnerabilities are highly exploitable when exposed to the internet.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through phishing, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF exploits are well-understood and easy to weaponize. Exploitation requires the victim to be authenticated and visit a malicious page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 3ff0c85d439ccbdfadeb96b5a52acf6318041109 and subsequent releases

Vendor Advisory: https://github.com/star7th/showdoc/commit/3ff0c85d439ccbdfadeb96b5a52acf6318041109

Restart Required: Yes

Instructions:

1. Update showdoc to the latest version. 2. Apply the specific commit if using source. 3. Restart the showdoc service. 4. Verify CSRF tokens are now required for state-changing requests.

🔧 Temporary Workarounds

Implement CSRF Protection Headers

all

Add CSRF protection headers to web server configuration to help mitigate attacks

# For Apache: SetEnvIf Origin ".*" Access-Control-Allow-Origin=$0
# For Nginx: add_header X-Frame-Options SAMEORIGIN;

Use SameSite Cookies

all

Configure cookies with SameSite=Strict attribute to prevent CSRF attacks

# In showdoc configuration or web server: Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement WAF rules to detect and block CSRF patterns
Require re-authentication for sensitive actions and use multi-step confirmation

🔍 How to Verify

Check if Vulnerable:

Check if showdoc version is before commit 3ff0c85d439ccbdfadeb96b5a52acf6318041109. Test by attempting to submit forms without CSRF tokens.

Check Version:

Check showdoc version in web interface or via git log if installed from source

Verify Fix Applied:

Verify that all state-changing requests (POST, PUT, DELETE) now require valid CSRF tokens. Test form submissions without tokens should fail.

📡 Detection & Monitoring

Log Indicators:

Multiple failed form submissions with missing CSRF tokens
Unexpected documentation modifications from unusual IPs

Network Indicators:

HTTP requests with missing Referer headers or mismatched origins for state-changing operations

SIEM Query:

web_requests method=POST AND (NOT csrf_token=*) AND uri_path CONTAINS "/showdoc/"

📊 Metadata

CVE ID: CVE-2021-4168

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: December 26, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/star7th/showdoc/commit/3ff0c85d439ccbdfadeb96b5a52acf6318041109 Patch,Third Party Advisory
https://huntr.dev/bounties/f14431e2-f1f6-4331-ba91-a4ea8b26be0c Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/star7th/showdoc/commit/3ff0c85d439ccbdfadeb96b5a52acf6318041109 Patch,Third Party Advisory
https://huntr.dev/bounties/f14431e2-f1f6-4331-ba91-a4ea8b26be0c Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-4168, you might also want to check these: