Vulnerability DatabaseCVE-2021-28490

CVE-2021-28490:
Java vulnerability analysis and mitigation

Overview

OWASP CSRFGuard through version 3.1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2021-28490. The vulnerability was discovered in early 2021 and publicly disclosed in August 2021. The affected software is a library that implements synchronizer token pattern to mitigate CSRF attacks in Java-based web applications (OWASP Project, Third Party Advisory).

Technical details

The vulnerability exists because the CSRF cookie may be retrieved by using only a session token, which can be wrapped by a third-party request that a browser may provide. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The exploitation depends on browser configuration, particularly whether it supports CORS and denies cross-origin requests to the protected application (Third Party Advisory).

Impact

If successfully exploited, the vulnerability could allow an attacker to perform CSRF attacks against applications protected by CSRFGuard. The actual impact depends on the specific web application being protected and what actions can be performed through CSRF. The vulnerability potentially affects confidentiality, integrity, and availability of the protected application (NVD).

Mitigation and workarounds

The primary mitigation is to ensure all clients respect CORS and deny cross-origin requests to the protected application. For long-term remediation, users should upgrade to newer versions of CSRFGuard that address this vulnerability. Applications can be checked for vulnerability by looking for the CSRFGuard project in Java application dependencies or by checking for the header 'X-Protected-With: OWASP CSRFGuard Project' in HTTP responses (Third Party Advisory).

Community reactions

The OWASP developers worked with the security researcher who discovered the vulnerability to understand the issue, though there was some disagreement about the real-world exploitability. The researcher noted that while the CVSS score is high, the practical impact might be less severe as most web applications may have other more critical security issues (Third Party Advisory).

Additional resources

Source: This report was generated using AI

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-55749	HIGH	8.7	Java	org.xwiki.platform:xwiki-platform-tool-jetty-resources	No	Yes	Dec 01, 2025
CVE-2025-13806	MEDIUM	6.9	Java	org.nutz:nutzboot-parent	No	No	Dec 01, 2025
CVE-2025-13805	MEDIUM	6.3	Java	org.nutz:nutzboot-parent	No	No	Dec 01, 2025
CVE-2025-13804	MEDIUM	5.3	Java	org.nutz:nutzboot-parent	No	No	Dec 01, 2025
CVE-2025-66372	LOW	2.8	Java	org.mustangproject:library	No	Yes	Nov 28, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-28490: Java vulnerability analysis and mitigation