CVE-2021-47157 – CVE-2021-47157 is a JSON hijacking vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2021-47157 is a JSON hijacking vulnerability in the Kossy Perl module that allows attackers to bypass CSRF protections through X-Requested-With header mishandling. This affects web applications using Kossy for JSON responses. Attackers can potentially steal sensitive data from authenticated sessions.

💻 Affected Systems

Products:

Kossy Perl module

Versions: All versions before 0.60

Operating Systems: All platforms running Perl

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Kossy's JSON response functionality with X-Requested-With header handling.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal sensitive JSON data from authenticated users, potentially compromising user accounts, session tokens, or confidential information.

🟠

Likely Case

Data exfiltration from JSON API endpoints, leading to privacy violations and potential account compromise.

🟢

If Mitigated

Limited impact with proper CSRF tokens and additional security controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to trick a user into visiting a malicious site while authenticated to the vulnerable application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.60 and later

Vendor Advisory: https://metacpan.org/dist/Kossy/changes

Restart Required: Yes

Instructions:

1. Update Kossy module to version 0.60 or later using CPAN: cpanm Kossy@0.60
2. Restart your Perl application/web server
3. Verify the update was successful

🔧 Temporary Workarounds

Add custom CSRF protection

all

Implement additional CSRF token validation for JSON endpoints

# Add custom middleware or controller logic to validate CSRF tokens for all JSON responses

Disable JSON endpoints temporarily

all

Remove or disable JSON API endpoints until patched

# Comment out or remove JSON response routes in your Kossy application

🧯 If You Can't Patch

Implement strict Content-Type checking for JSON responses
Add SameSite cookie attributes and additional authentication checks

🔍 How to Verify

Check if Vulnerable:

Check Kossy version: perl -MKossy -e 'print $Kossy::VERSION'

Check Version:

perl -MKossy -e 'print "Kossy version: $Kossy::VERSION\n"'

Verify Fix Applied:

Verify version is 0.60 or higher and test JSON endpoints with CSRF protection

📡 Detection & Monitoring

Log Indicators:

Unusual JSON requests without proper referrer headers
Multiple failed CSRF validation attempts

Network Indicators:

Cross-origin JSON requests with suspicious referrers
JSON responses to unexpected origins

SIEM Query:

source="web_logs" AND (uri="*.json" OR content_type="application/json") AND referrer NOT IN allowed_domains

📊 Metadata

CVE ID: CVE-2021-47157

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

Published: March 18, 2024

Last Updated: November 25, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47157, you might also want to check these: