Sensitive Cookie in HTTPS Session Without secure Attribute

[mrapw]

Hello

we have a snipe-it instance running in docker, and a recent security audit has flagged a severity classified "Medium" related to Cookies as shown below. we are on version 6.0.14
I can't find any info on this vulnerability and no CVE provided.

has anyone seen this before and confirm if this is genuine and if a fix is available?

Sensitive Cookie in HTTPS Session Without secure Attribute

Output:
Cookie ID: xxxxxxxxxxxxxxxxxxxx

Cookie Name: XSRF-TOKEN
Expires: 720000
HTTPOnly: False
Path: /
Secure: False

Cookie ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Cookie Name: snipeit_session
Expires: 720000
HTTPOnly: True
Path: /
Secure: False

[NickSnellockBS]

I have this issue too and it is not resolved. This CWE gives more information: https://cwe.mitre.org/data/definitions/1004.html

[snipe]

https://snipeitapp.com/security#recent-vulnerability-scan-results

[snipe]

We have this documented. Enable SECURE_COOKIES in your env https://snipe-it.readme.io/docs/configuration

[admfstepan]

Enabling SECURE_COOKIES in the .env file will only protect the snipeit_session cookie. However, this configuration does not impact the XSRF-TOKEN, which appears to be handled at the application layer. This issue is still present

[Glukose1]

I can confirm this, the XSRF Cookie does not get the correct attribute even with secure_cookies enabled in the .env, I configured the apache vhost to set these cookies correctly but it would be great if that would be changed by an extra setting or together with the secur_cookies env entry.

[admfstepan]

It seems that there is a middleware responsible for generating a new XSRF token, which, unlike what @Glukose1 mentioned, overrides the Apache configurations. I found the generation of this token in the VerifyCsrfToken.php file. The seventh parameter passed to the Cookie class constructor is set to false, which indicates that the HttpOnly flag is disabled. Changing the value to true will fix the issue.

    /**
     * Create a new "XSRF-TOKEN" cookie that contains the CSRF token.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  array  $config
     * @return \Symfony\Component\HttpFoundation\Cookie
     */
    protected function newCookie($request, $config)
    {
        return new Cookie(
            'XSRF-TOKEN',
            $request->session()->token(),
            $this->availableAt(60 * $config['lifetime']),
            $config['path'],
            $config['domain'],
            $config['secure'],
            true, # This is HttpOnly parameter
            false,
            $config['same_site'] ?? null,
            $config['partitioned'] ?? false
        );
    }